Connecting to the Helcim API

The Helcim API and HelcimPay.js require a valid api-token sent in the header of all requests to authenticate with the Helcim system.

A merchant or developer needs to log in to the Helcim platform and create their an API Access Configuration with their desired Access Permissions in order to generate a unique api-token for their account. For instructions on how to create an API Access Configuration, you can review the following documentation.

Creating an API Access Configuration

Helcim API authentication illustration

Testing your connection

In order to test you are passing a valid api-token in the header of your requests, you can utilize the Connection Test endpoint in our API References.

Test connectivity to the Helcim API

On successful connection this endpoint will return a response message indicating that your connection was successful.

{
  "message": "Connected Successfully"
}

If your request contains an invalid API token, you will receive an error response from the API indicating that you are unauthorized to make the request. Please confirm that your API token is correct and valid for the endpoint you are calling before sending a new request.

{
  "errors": "Unauthorized"
}

API token best practices

API tokens should be protected by merchants and developers, as having access to a valid token gives a bad actor the potential to process payments and make modifications to a merchant’s account. This is similar to why merchants should protect their password and not share it with anyone.

We recommend obscuring your Helcim API token in your integrations back-end environment files and never making this token visible in your client side code. When communicating with Helcim support and sending screenshots of code, or API request and response payloads, we encourage merchants and developers to obscure all but the last four digits of their API token value.

Compromised API tokens

If a merchant has their API token compromised, they should either immediately disable it in the Integrations section of their Helcim account, or generate a new token for that API Access Configuration and update their integration accordingly.

We would also recommend changing the passwords to access your Helcim account and ensuring that only active and valid employees and developers have user access to the account.

To deactivate or generate a new token for your API Access Configuration, go to All Tools, Integrations and then select the relevant configuration that you would like to modify. You can select the appropriate option from the Actions menu in the top right corner of the Access Configuration.