Authentication - Developers

Home / Authentication - Developers

Developers
Overview Getting Started Authentication API Reference Webhooks SDKs & Libraries Rate Limits Error Codes API Sandbox

Authentication

All API requests require authentication via your API key. RukkyHub uses a simple key-based authentication model.

Getting Your API Key

To get your API key:

  1. Purchase an API access plan from Developer Portal in your dashboard.
  2. Once approved, go to Developer Portal → API Keys and click Create API Key.
  3. Give your key a name, select the required scopes (permissions), enter your PIN, and submit.
  4. Copy the key immediately. It will only be shown once.

Sending the API Key

Include your API key in the X-API-KEY header (recommended):

X-API-KEY: YOUR_API_KEY

Or send it as a POST body parameter:

key=YOUR_API_KEY

Example with cURL using header:

curl -X POST https://developers.rukkyhub.com/api/v1 \
  -H "X-API-KEY: rk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -d "action=balance"
Never expose your API key in client-side code, version control, or public repositories. Use environment variables on your server.

API Key Types

  • Live Key — prefixed with rk_live_. Use in production. Processes real orders and transactions.

Key Scopes (Permissions)

When creating an API key, you can restrict which actions it can perform. Available scopes:

  • services — List SMM services
  • add — Place SMM orders
  • status — Check SMM order status
  • balance — Check account balance
  • vtu_data_plans, vtu_sme_plans, vtu_cable_plans, vtu_electric_discos — List plans
  • vtu_cable_verify, vtu_electricity_verify — Verify customer/meter
  • vtu_airtime, vtu_data, vtu_sme, vtu_cable, vtu_electricity, vtu_education, vtu_recharge_card — Purchase VTU services
  • vtu_status — Check VTU transaction status
  • giftcard_cards — List available gift card types and rates
  • giftcard_trade — Submit a gift card for trade
  • giftcard_trades — View your gift card trade history

IP / Domain Whitelist

For enhanced security, you can restrict an API key to specific IP addresses or domains. Configure this in the API Key Security modal in Developer Portal. When a domain whitelist is enforced, send the X-API-ORIGIN header or pass origin=/domain= in the request body.

The whitelist validation returns these errors:

  • API key is restricted to whitelisted domains. + detected_domain — The request origin doesn't match. Update your whitelist or send the correct header.
  • This check needs an Origin (browser) or X-API-ORIGIN header — Server-side calls (curl/Postman) need an explicit X-API-ORIGIN header when domain whitelist is enforced. Use IP whitelist instead for server-to-server integration.

Revoking a Key

If a key is compromised, revoke it immediately from the Developer Portal. Revoked keys stop working instantly. You can then generate a new key.

Supported Service Interfaces

Secure payment gateways, automation providers, and infrastructure.

MTN korapay MTN korapay

Rukkyhub processes personal data only to provide services, ensure security, and meet legal requirements. We do not sell user data. By using this site, you consent to our data processing in accordance with GDPR. learn more

Allow