Skip to main content

Overview

Tender uses HMAC-based authentication to secure API requests. You’ll need two credentials:
  1. Access ID - Your public API identifier
  2. Access Secret - Your private key for signing requests
Never share your Access Secret or commit it to version control. Treat it like a password.

Generating API Credentials

1

Log in to Dashboard

Navigate to sandbox-merchant.tender.cash (sandbox) or merchant.tender.cash (live) and log in to your account.
2

Navigate to API Settings

  • Click on Settings in the sidebar
  • Select API Credentials
3

Create New Credentials

  • Click Generate New Credentials
  • Give your credentials a descriptive name (e.g., “Production API”, “Dev Server”)
4

Save Your Credentials

Important: Copy and securely store both credentials immediately. The Access Secret will only be shown once.
  • Access ID: Copy this value
  • Access Secret: Copy this value (shown only once)
  • Store them in a secure location (password manager, environment variables, secrets manager)

Test vs Production Credentials

Test Credentials are for:
  • Development and integration
  • Testing payment flows
  • Webhook testing
  • Uses testnet cryptocurrencies
Base URL: https://sandbox-api.tender.cash

Managing Credentials

Viewing Active Credentials

In the dashboard, you can:
  • View all active API credentials
  • See last used date
  • Check usage statistics
  • View credential names and environments

Revoking Credentials

If credentials are compromised:
1

Generate new credentials

Create replacement credentials immediately
2

Update your systems

Deploy new credentials to all systems
3

Revoke old credentials

Delete compromised credentials from dashboard
4

Monitor for issues

Check that all systems are working with new credentials

Next Steps

Authentication Guide

Learn how to sign API requests with your credentials

Quick Start

Make your first API call

Troubleshooting

Possible causes:
  • Incorrect Access ID or Secret
  • Invalid HMAC signature
  • Using test credentials on production endpoint (or vice versa)
Solution: Verify your credentials and signature generation
Check:
  • Are you using the correct environment (test vs production)?
  • Have the credentials been revoked?
  • Is the timestamp in the correct format?
  • Is the signature generated correctly?