Everything you need to integrate crypto payments into your app. Explore endpoints, authentication flows, webhooks, and live code examples across REST & WebSocket — built for developers who ship fast.
Every request to the dptcay API must be authenticated with an API key. This guide covers obtaining keys, securing them in headers, understanding scopes, managing rate limits, and rotating credentials safely.
API keys are provisioned through the dptcay developer dashboard. Each key is tied to your account and environment — keep test keys for sandbox use and live keys strictly for production systems.
Log in to the dashboard
Navigate to dashboard.dptcay.io and sign in with your developer account credentials.
Open API Keys under Settings
In the left sidebar, go to Settings → API Keys. You'll see all existing keys and their status.
Click "Generate New Key"
Choose your desired scope (read-only or write), add a descriptive label, and confirm generation.
Copy and store securely
The full key is shown exactly once. Store it in a secrets manager (Vault, AWS Secrets Manager, etc.) immediately.
Security warning: Never embed API keys in client-side code, public repositories, or environment files committed to version control. Treat them like passwords — rotate immediately if compromised.
All authenticated requests must include your API key in the Authorization header using the Bearer token scheme. No cookie-based or query-string authentication is supported.
Authorization:Bearer<your_api_key>curl -X GET https://api.dptcay.io/v1/payments -H "Authorization: Bearer dp_live_sk_4f8a2b..." -H "Content-Type: application/json"
Follow the principle of least privilege. Assign only the scope your integration actually requires. A read-only key cannot mutate data even if the underlying account has write permission.
Analytics dashboards, read-only reporting tools, monitoring services.
Backend payment processing, webhook management, server-side integrations.
Rate limits are enforced per API key using a sliding window algorithm. Response headers expose your current consumption in real time.
| Plan | Requests / min | Burst Limit | Monthly Quota |
|---|---|---|---|
| Starter | 100 req / min | 150 | 50,000 |
| Growth | 500 req / min | 700 | 500,000 |
| Scale | 2,000 req / min | 3,000 | 5,000,000 |
| Enterprise | Custom | Custom | Unlimited |
Rate Limit Response Headers
X-RateLimit-LimitMaximum requests allowed in the current windowX-RateLimit-RemainingRequests remaining before hitting the limitX-RateLimit-ResetUnix timestamp when the window resetsRetry-AfterSeconds to wait after a 429 response (present only on 429)Rotate API keys on a scheduled basis — at minimum every 90 days, immediately upon any suspected compromise, or when team members with key access leave. The zero-downtime rotation pattern below ensures no dropped requests.
Scheduled Rotation
Set calendar reminders to rotate production keys every 60–90 days regardless of incident.
Emergency Rotation
If a key is exposed in logs, code, or a breach — revoke it immediately without waiting for a cycle.
Store in Secrets Managers
Use HashiCorp Vault, AWS Secrets Manager, or GCP Secret Manager. Never in .env files in git.
# Step 1: Create a new API key
curl -X POST https://api.dptcay.io/v1/keys
-H "Authorization: Bearer dp_live_sk_OLD_KEY"
-d '{"scope": "write", "label": "prod-v2"}'
# Step 2: Revoke the old key
curl -X DELETE https://api.dptcay.io/v1/keys/dp_live_sk_OLD_KEY
-H "Authorization: Bearer dp_live_sk_NEW_KEY"The dptcay API returns standard HTTP status codes. Below are the authentication-related errors you may encounter and how to resolve them.
Unauthorized
HTTP Status Code 401
Common Causes
Resolution
Verify the Authorization header is set to Bearer <your_key> and that the key is active in your dashboard.
{ "error": "Unauthorized", "code": 401, "message": "..." }Rate Limited
HTTP Status Code 429
Common Causes
Resolution
Inspect the Retry-After response header for the exact cooldown period. Implement exponential backoff and consider upgrading your plan.
{ "error": "Rate Limited", "code": 429, "message": "..." }For a complete list of all dptcay API error codes, status messages, and retry strategies, see the full API Reference →
All endpoints are prefixed with https://api.dptcay.com/v1. Every request requires a valid API key passed via the Authorization header.
| Method | Endpoint Path | Description | Auth Scope | Details |
|---|---|---|---|---|
| POST | /payments/create | Initiate a new crypto payment request. Returns a payment object with a unique ID, wallet address, and expiration timestamp. | payments:write | |
| GET | /payments/{id} | Retrieve the current status and full details of an existing payment by its unique identifier. | payments:read | |
| POST | /refunds | Issue a full or partial crypto refund against a completed payment. Funds are returned to the original sender's wallet address. | refunds:write | |
| GET | /currencies | List all supported cryptocurrencies with current exchange rates, network fees, and confirmation requirements. | currencies:read | |
| POST | /webhooks/register | Register a URL to receive real-time event notifications for payment status changes, refunds, and disputes. | webhooks:write |
/payments/createInitiate a new crypto payment request. Returns a payment object with a unique ID, wallet address, and expiration timestamp.
/payments/{id}Retrieve the current status and full details of an existing payment by its unique identifier.
/refundsIssue a full or partial crypto refund against a completed payment. Funds are returned to the original sender's wallet address.
/currenciesList all supported cryptocurrencies with current exchange rates, network fees, and confirmation requirements.
/webhooks/registerRegister a URL to receive real-time event notifications for payment status changes, refunds, and disputes.
All responses are JSON-encoded. Successful responses return HTTP 200. Errors return standard 4xx / 5xx codes with a machine-readable error.code field. See the full API Docs for error codes and rate limit headers.
Crypto Payments. One API. Infinite Possibilities.
Integrate Bitcoin, ETH, USDC, and 50+ assets into your product in minutes — not weeks.
© 2026 dptcay. All rights reserved.
Built for developers. Trusted by fintech teams worldwide.