API Key Authentication
DHMAD uses API key authentication. Each request must include your API key using one of the methods below.Getting Your API Key
- Log into the Developer Dashboard
- Navigate to the “API Keys” section
- Create a new API key or use an existing one
- Copy the key (it’s only shown once!)
Using Your API Key
You can authenticate using either method:Method 1: Bearer Token (Recommended)
Include your API key in theAuthorization header as a Bearer token:
Method 2: X-API-Key Header
Include your API key in theX-API-Key header:
Example Requests
API Key Format
API keys follow this format:- Live keys:
sk_live_followed by 64 hex characters — for production (https://dhmad.tn/api) - Sandbox keys:
sk_sandbox_followed by 64 hex characters — for the sandbox (https://sandbox.dhmad.tn/api)
Account Association
Security Best Practices
Store Securely
Never commit API keys to version control. Use environment variables or secret management services.
Rotate Regularly
Regenerate your API keys periodically for better security.
Use Different Keys
Use separate API keys for development, staging, and production environments.
Monitor Usage
Regularly check your API key usage in the dashboard for any suspicious activity.
Error Responses
401 Unauthorized
If your API key is missing or invalid, you’ll receive a 401 error:403 Forbidden
If your API key is valid but your developer account is not associated with a user account:Rate Limiting
API requests are subject to rate limits:- Default: 100 requests per minute per IP address
- Custom limits: You can set a custom rate limit when creating or updating an API key
- Exceeding limit: Returns 429 Too Many Requests
The default rate limit applies per IP address. If you need higher limits, contact support@dhmad.tn
Testing Your Authentication
You can test your API key by making a simple request to the balance endpoint:- Your API key is correct
- The key is active (not revoked)
- Your developer account is associated with a user account