The API accepts 3 different authentication methods:
Instant Payment Notifications use a different authentication method than the rest of the API. A payment account has an IPN secret key associated with it, which can be accessed on the account page. This secret key is used to create a signature from the request, which is passed with all IPNs to verify that the source is legitimate. The signature will be passed in the header as x-madora-sig, and is created using HMAC and SHA256.
Madora.io uses HTTP Basic Authentication to verify all requests (see: https://en.wikipedia.org/wiki/Basic_access_authentication). API Access Keys may be generated on your Madora account page, after completing client onboarding. To make a request using a given key, the key should be combined with the secret in the form: key:secret, and then Base64 encoded. The encoded value can then added to the "Authorization" header as follows: Authorization: Basic [encoded_value]