Start here
Authentication
HeritagePay uses separate authentication models for end users and institution operators.
Plane A: mobile end users
Plane A is driven by phone number, OTP, and PIN:
POST /auth/otp/issuePOST /auth/otp/verifyPOST /auth/registerorPOST /auth/login- Use
Authorization: Bearer <accessToken> - Rotate with
POST /auth/refresh - Revoke with
POST /auth/logout
Mobile requests also send:
Code
Plane B: operators and integrations
Plane B uses institution API keys:
Code
Routes that mutate sensitive operator state may also require HMAC signing. Keep that signing code server-side; do not place Plane B keys inside mobile apps.
Developer portal login
This Zudoku portal supports Clerk, Auth0, OpenID Connect, or Supabase. Configure one provider in .env:
Code
When a provider is configured, API reference and operational pages are protected and the API playground can sign requests using the developer's session.
Last modified on