All protected merchant endpoints require two headers:
X-Api-Key: bmx_pk_xxx
X-Api-Secret: bmx_sk_xxx
| Header | Description |
|---|
X-Api-Key | Public key that identifies the merchant API credential. |
X-Api-Secret | Secret shown once when the key is created in the merchant dashboard. |
If authentication fails, the API returns 401 Unauthorized.
Credential handling
- Create API keys in the merchant dashboard.
- Store
X-Api-Secret in a secret manager.
- Never expose API secrets in mobile apps, browsers, logs, or public repositories.
- Rotate or revoke credentials from the dashboard if a secret is exposed.
Example
GET /customers/22222222-2222-2222-2222-222222222222
X-Api-Key: bmx_pk_xxx
X-Api-Secret: bmx_sk_xxx
Merchant resources are scoped to the merchant attached to the API key. A key cannot access another merchant’s customers, quotes, payments, transfers, or webhook configuration. Last modified on July 8, 2026