PayWeaveUpstream Authentication
Gateways need to authenticate with your upstream API when proxying requests. PayWeave supports four authentication methods. Credentials are encrypted at rest and never exposed to callers.
Authentication types
| Type | How it works |
|---|---|
| None | No authentication added. Use for public upstream APIs. |
| Header | A custom header is attached to every proxied request. |
| Query parameter | A key-value pair is appended to the upstream URL query string. |
| Basic | HTTP Basic auth credentials are sent in the Authorization header. |
Header authentication
The most common method. Specify the header name and value. PayWeave adds this header to every request proxied to your upstream:
Header name: Authorization
Header value: Bearer sk-your-upstream-api-keyYou can use any header name - Authorization, X-API-Key, or a custom header your upstream expects.
Query parameter authentication
Some APIs authenticate via a query string parameter. PayWeave appends it to the upstream URL automatically:
Parameter name: api_key
Parameter value: your-secret-key
Upstream call: https://api.example.com/search?q=hello&api_key=your-secret-keyBasic authentication
Provide a username and password. PayWeave encodes them as a standard HTTP Basic auth header:
Username: admin
Password: s3cret
Proxied header: Authorization: Basic YWRtaW46czNjcmV0No authentication
Select this when your upstream is a public API or handles its own auth via the caller's request body. PayWeave proxies requests without adding any credentials.
Credential encryption
All authentication credentials - header values, query parameter values, and passwords - are encrypted using AES-256-GCM before storage. They are decrypted only at proxy time in an isolated runtime. Credentials are never logged, and they are never included in API responses or webhooks.