Skip to main content
All requests to the ToffeePay API must be authenticated using a Bearer token in the Authorization header: 
Authorization: Bearer <your_access_token>
You’ll receive your access token when you register your game. Keep it secret and only use it server-side.

Environments

EnvironmentBase URL
Productionhttps://api.toffeepay.com
Sandboxhttps://api.sandbox.toffeepay.com
Each environment uses separate access tokens. Use sandbox tokens for development and testing.

Best Practices

  1. Server-side only: Never expose access tokens in client-side code
  2. Use HTTPS: All API requests must be made over HTTPS
  3. Store securely: Use environment variables or a secrets manager to store access tokens

Error Handling

If authentication fails, the API returns a 401 Unauthorized response. Common causes:
  • Missing or malformed Authorization header
  • Invalid or expired access token
  • Using a sandbox token against production (or vice versa)