The two required headers
| Header | What it does | Where you use it |
|---|---|---|
public-api-key | Identifies your account publicly. | Client SDK initialization and server calls. |
private-secret-key | Authorizes server side operations. | Server only. Never in client code. |
The account code
The Dashboard also exposes anaccount_id value for your account. This is not an HTTP header. It is a value you place inside request bodies on endpoints that take an account_id field, such as POST /v1/checkout/sessions and POST /v1/payments. The gateway derives the account scope internally from your authenticated key pair, then matches the account_id you sent in the body to confirm which account the call should run against.
If you maintain a single account, set account_id once in your client config. If you operate multiple accounts under one organization, branch on the merchant context to pick the right account_id per call.
Get your API keys
Open the Dashboard
Sign in to the Yuno Dashboard with your merchant account.
Navigate to API Keys
Go to Developers. You will see separate credentials for sandbox and production.
Copy the values
Copy
public-api-key and private-secret-key for the environment you need (sandbox for development, production for live traffic). Also copy the account_id value if your endpoints require an account_id body field. See Environments for the base URL per environment.Example request
Every call sends the two headers together. This is the pattern you will repeat everywhere.Sandbox and production credentials
Each environment has its own credentials. Sandbox keys against production (or the opposite) return an authentication error. Pick the right base URL and the matching key set for the environment you are calling.Sandbox
Base URL
https://api-sandbox.y.unoCredentialsSandbox keys from the Dashboard. No real funds. Use the Yuno Testing Gateway and test cards to exercise flows.Production
Base URL
https://api.y.unoCredentialsProduction keys from the Dashboard. Real funds, real customers, real settlement.Safe retries
Yuno does not currently honor a genericX-Idempotency-Key header on most write endpoints. The dedupe pattern is a unique business key that you control and can look up later.
| Resource | Set this field | Look up with |
|---|---|---|
| Customer | merchant_customer_id | Retrieve Customer by External ID |
| Payment | merchant_order_id (on the upstream checkout session) | Get Payment by Merchant Order |
| Recipient | merchant_recipient_id | Recipient lookup endpoint |
POST /v1/subscriptions, which accepts an X-Idempotency-Key header with permanent dedupe per account. See Avoiding duplicates for the full pattern.
Security
- Store keys in environment variables or a secret manager. Never commit them to git, hard code them, or log them.
- Use different keys per environment (sandbox, staging, production) and per service where possible.
- Rotate keys periodically from the Dashboard. Rotate immediately if a key is exposed.
- Restrict
private-secret-keyto server code, CI secrets, and infrastructure vaults. The public key is the only one that may live on the client. - Monitor API usage in the Dashboard for unexpected patterns.
What next
Quickstart
Your first sandbox payment end to end.
Environments
Sandbox vs production and the go live checklist.
Avoiding duplicates
Safe retries with unique business keys.
Error handling
The error envelope and which codes are safe to retry.