Skip to main content
All protected merchant endpoints require two headers:
X-Api-Key: bmx_pk_xxx
X-Api-Secret: bmx_sk_xxx
HeaderDescription
X-Api-KeyPublic key that identifies the merchant API credential.
X-Api-SecretSecret shown once when the key is created in the merchant dashboard.
If authentication fails, the API returns 401 Unauthorized.

Credential handling

  • Create API keys in the merchant dashboard.
  • Store X-Api-Secret in a secret manager.
  • Never expose API secrets in mobile apps, browsers, logs, or public repositories.
  • Rotate or revoke credentials from the dashboard if a secret is exposed.

Example

GET /customers/22222222-2222-2222-2222-222222222222
X-Api-Key: bmx_pk_xxx
X-Api-Secret: bmx_sk_xxx
Merchant resources are scoped to the merchant attached to the API key. A key cannot access another merchant’s customers, quotes, payments, transfers, or webhook configuration.
Last modified on July 8, 2026