> ## Documentation Index
> Fetch the complete documentation index at: https://docs-alpha.pepay.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Merchant APIs

> Server-side merchant endpoints for invoices, tokens, events, and settlement.

## Overview

Merchant APIs power core Pepay payment flows for merchants: invoices, token catalogs, settlement preferences, events, and webhooks. Use these endpoints from your backend or trusted server environment.

## Authentication

Merchant APIs use a merchant-scoped API key:

* Header: `x-api-key: <merchant_key>`
* Keys are created in the Pepay Dashboard: [https://pepay.io/sign-in](https://pepay.io/sign-in)
* Keep keys server-side; never embed them in browser or mobile apps.
  Key management (create/list/revoke) is handled in the dashboard and is not part of the public API reference.

## What belongs here

* `/api/v1/invoices/*` for creating and managing invoices.
* `/api/v1/merchant/tokens*` for token availability and search.
* `/api/v1/events/*` and `/api/v1/ws/token` for realtime events.
* Settlement and merchant settings under `/api/v1/merchant/*`.

## Related APIs

* Commerce APIs use `x-commerce-api-key` and live under `/api/commerce/*`.
* Payor APIs use session headers (`x-session-token`, `x-signature`) for checkout UIs.

## Request

Use a merchant API key in the request header:

```bash theme={null}
curl "https://api-beta.pepay.io/api/v1/invoices?limit=1" \
  -H "x-api-key: pk_live_..."
```

## Response

```json theme={null}
{
  "object": "list",
  "data": [],
  "has_more": false
}
```

## Errors

* `401` missing or invalid `x-api-key`
* `403` key lacks required permissions
* `429` request exceeds rate limits

## Examples

* Use separate keys per environment and rotate keys on a fixed schedule.

Next: [Merchant invoices](/api-spec/merchant/invoices)
