Skip to main content

Authentication Overview

Waffo Pancake supports two authentication methods for API access:
MethodUse CaseDescription
API KeyServer-to-server callsPermanent authentication using Merchant ID and private key
Store SlugPublic checkout flowsPublic access using X-Store-Slug and X-Environment headers

API Key Authentication

API Keys provide permanent server-to-server authentication. The private key never leaves your server.
API Key authentication is handled automatically by the SDK. Install @waffo/pancake-ts, provide your Merchant ID and private key, and the SDK will handle request signing automatically.
import { WaffoPancake } from "@waffo/pancake-ts";

const client = new WaffoPancake({
  merchantId: process.env.WAFFO_MERCHANT_ID!,
  privateKey: process.env.WAFFO_PRIVATE_KEY!,
});

// All requests are automatically authenticated
const { store } = await client.stores.create({ name: "My Store" });
API Key authentication does not require the X-Environment header. The environment is determined by the key’s registered environment (test or prod).

Store Slug Authentication

For public-facing checkout flows, use Store Slug authentication. This allows visitors to interact with checkout endpoints without API Key credentials.
HeaderDescription
X-Store-SlugYour store’s unique slug identifier
X-Environmenttest or prod (required)
curl -X POST https://waffo-pancake-auth-service.vercel.app/v1/actions/checkout/create-session \
  -H "X-Store-Slug: my-store-abc123" \
  -H "X-Environment: test" \
  -H "Content-Type: application/json" \
  -d '{"productId": "...", "productType": "onetime", "currency": "USD"}'

Creating API Keys

1

Go to Developers Page

Navigate to Dashboard —> Developers —> API Keys
2

Create API Key

Click “Create API Key” to generate a new key pair. The public key is sent to the server automatically.
3

Name and Configure

Give it a descriptive name (e.g., “Production Server”) and select the target environment (Test or Production).
4

Download Private Key

Download your private key immediately. It will not be shown again.
Deleting an API key is immediate and irreversible. Any requests using the deleted key will fail with 401 Unauthorized.

Security Best Practices

  • Never expose private keys in client-side code, version control, or public repositories
  • Use environment variables to store keys in your server application
  • Separate test and production keys — create distinct keys for each environment
  • Rotate keys regularly, especially after team member changes
  • Monitor API usage in the Dashboard for unusual activity
# Store key as environment variable
export WAFFO_PRIVATE_KEY="your-private-key-content"
export WAFFO_MERCHANT_ID="your-merchant-uuid"

Authentication Errors

StatusMessageSolution
401Invalid API keyVerify your Merchant ID and private key are correct
401Missing authenticationEnsure the SDK is initialized with valid credentials
403Insufficient permissionsUse a key with the required permissions