API Authorization & Headers

For backend based API request/call, Midtrans API requires HTTP(s) headers that will be explained below.

Content-Type and Accept Header

Midtrans API uses JSON format for input and output, hence it is required to specify JSON as content-type & accept JSON as response. The header specification is as shown below.

  • Content-Type: application/json
  • Accept: application/json

Authorization Header

The Authorization header is used by Midtrans API to identify merchant ID for initiating the request and also to process the request according to the authorization. The Authorization Header is developed from the Server Key This is a safety feature to prevent any unauthorized users.

As analogy in physical world, it can be considered as "a key to your car", so that only you can access your car (and only your car can be accessed by you).


Access Keys are unique for every merchant. Server Keys are secret, please always keep Server Key confidential.

To generate Authorization header value, follow the steps given below.

  1. Follow the format of Basic Authentication. (example: Username:Password)
  2. Username and password are separated by : character.
  3. Server Key is used as Username, there is no password, so password is blank/empty string.
  • For example, if your Server Key is SB-Mid-server-abc123cde456, then Username:Password would be SB-Mid-server-abc123cde456:.
  1. Encode this value into base64 format.
  • For example, base64 of SB-Mid-server-abc123cde456: is U0ItTWlkLXNlcnZlci1hYmMxMjNjZGU0NTY6.
  1. Add the word Basic as prefix.
  • The above value would be Basic U0ItTWlkLXNlcnZlci1hYmMxMjNjZGU0NTY6.
  1. Your Authorization header is ready.
  • Authorization: Basic U0ItTWlkLXNlcnZlci1hYmMxMjNjZGU0NTY6

Check out our tool to try out Authorization Header calculation.

Complete HTTP(s) Headers

HTTP(s) HeaderTypeDescription
Content-Typeapplication/jsonIt indicates that JSON format will be used in the request. Midtrans API accepts JSON requests.
Acceptapplication/jsonIt indicates that JSON format is acceptable as response for the request. Midtrans API responds back in JSON.
Authorizationbase64Encode(Server Key+":")The Authorization field in Basic Auth format, Server Key is used as username, and the password is blank.

Sample Request

curl -X POST \
  https://app.sandbox.midtrans.com/snap/v1/transactions \
  -H 'Accept: application/json'\
  -H 'Authorization: Basic U0ItTWlkLXNlcnZlci1hYmMxMjNjZGU0NTY6' \
  -H 'Content-Type: application/json' \
  -d '{
    "transaction_details": {
        "order_id": "YOUR-ORDERID-123456",
        "gross_amount": 10000

Exception on Frontend API Request

For API request from frontend/client side, such as GET Card Token API, the headers explained earlier are not required. To avoid the risk of exposing your Server Key on your publicly accessible frontend, you should not use Server Key to authorize the request. Instead, Client Key is used to authorize the HTTP(s) request.

Below is a sample request and explanation of the /v2/tokenendpoint.

HTTP(s) MethodGET
HTTP(s) Header-
API endpoint urlhttps://api.sandbox.midtrans.com/v2/token
Query Param for authclient_key=<YOUR-CLIENT-KEY>

curl 'https://api.sandbox.midtrans.com/v2/token?client_key={YOUR-CLIENT-KEY}&card_cvv=123&gross_amount=20000&currency=IDR&card_number=4811111111111114&card_exp_month=02&card_exp_year=2025'