Skip to main content

Authentication

GStable API uses API Keys to authenticate requests. You can view and manage your API Keys on the [API Keys] page of the GStable dashboard.

Base URL

All API requests for the GStable service are sent to the following production environment address:

https://api.gstable.io/payment/v1

Authentication Method

GStable follows the standard HTTP Bearer authentication scheme. When calling any API endpoint, please include the Authorization field in the Header, formatted as Bearer followed by your API Key:

Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxx

Example Code

An example of calling the API using curl is as follows:

curl https://api.gstable.io/payment/v1/product/list \
  -H "Authorization: Bearer sk_live_51Mz..." \
  -H "Content-Type: application/json" \
  -d '{
    "limit": 10
  }'
Note

Please ensure there is a space between Bearer and the API Key.

API Key Types

GStable currently provides two types of production keys, distinguished by their prefixes:

TypePrefixDescription & Usage
Secret Keysk_live_...Full permission standard key. Has complete control over the account (create links, query data, refund, etc.). Strictly for server-side use only.
Restricted Keyrk_live_...Read-only or restricted permission key. Usually used for specific query operations or client-side integration.
Security Warning

Secret Key (sk_live_...) must be kept strictly confidential.

  • NEVER hardcode it in frontend code (React, Vue, iOS, Android).
  • NEVER commit it to public code repositories like GitHub.
  • If there is a risk of leakage, please rotate the key immediately in the management dashboard.

About Test Environment

Currently, GStable only provides the Mainnet environment.

Since DEX liquidity pools on blockchain Testnets are usually unstable and cannot accurately simulate slippage and routing experiences in real payments, to ensure integration reliability, we recommend testing directly on the Mainnet.

Recommended Test Flow:

  1. Integrate using sk_live keys.
  2. Create low-price products.
  3. Perform small amount payment tests using a real wallet.
  4. Verify Webhook callbacks and order status changes.

Authentication Errors

If the API Key is missing, invalid, or expired, the API will return an HTTP 401 status code. This is usually the only case where a 401 is returned.

Common reasons:

  • Header format error (forgot the Bearer prefix).
  • Used a revoked Key.
  • Key typo.