Authentication

DonutMe supports two authentication methods: session tokens (for browser-based access) and API keys (for server-to-server integration).

Session Authentication

Session tokens are obtained after login and used for browser-based dashboard access:

Shell

-pink-400">curl -H -lime-400">"Authorization: Bearer {sessionToken}" \
  https:-lime-400">"text-neutral-500">//api.donutme.xyz/api/v1/projects

API Key Authentication

API keys enable server-to-server integration without user sessions. Generate keys from Account → API Keys in the dashboard.

Shell

-pink-400">curl -H -lime-400">"X-API-Key: dm_live_your_key_here" \
  https:-lime-400">"text-neutral-500">//api.donutme.xyz/api/v1/projects/{projectId}/transactions

Key Prefixes

Prefix	Environment
`dm_live_`	Production — real transactions
`dm_test_`	Test mode — no real funds

API Key Scopes

Each API key can be restricted to specific scopes:

Scope	Access
`projects:read`	List and get project details, settings, accepted networks
`projects:write`	Create, update, and manage projects
`transactions:read`	List and get transactions
`customers:read`	List and get customers
`customers:write`	Create and update customers
`payment_plans:read`	List and get payment plans
`payment_plans:write`	Create and update payment plans
`admin`	Webhook management, API key management

Note: A key with no scopes (scopes: []) has full access to all endpoints. Always use minimum required scopes in production.

Key Management

Keys are shown only once at creation — store securely
Revoke compromised keys immediately from the dashboard
Use the minimum scopes required for your integration
Rotate keys periodically as a security best practice

Login Methods

Method	Description
Email + Password	Traditional email/password authentication
Google OAuth	Sign in with Google account
Passkeys	Passwordless authentication via WebAuthn

Session Lifecycle

Login → Returns a session token
Use token → Include in Authorization: Bearer header
Refresh → Sessions auto-refresh before expiry
Logout → Invalidates the session

Passkey Registration

Users can register passkeys for passwordless login:

Navigate to Account Settings → Security
Click Add Passkey
Follow your device's biometric/PIN prompt
Passkey is registered and can be used for future logins

Roles & Permissions

System Roles

Role	Description
`super_admin`	Full system access
`manager`	Manage users and settings
`user`	Standard user access

Project Roles

Role	Description
`owner`	Full project control
`admin`	Manage project settings and members
`member`	Create and manage resources
`viewer`	Read-only access

Permissions are enforced using CASL on both frontend and backend.

Authentication

DonutMe supports two authentication methods: session tokens (for browser-based access) and API keys (for server-to-server integration).

Session Authentication

Session tokens are obtained after login and used for browser-based dashboard access:

Shell

-pink-400">curl -H -lime-400">"Authorization: Bearer {sessionToken}" \
  https:-lime-400">"text-neutral-500">//api.donutme.xyz/api/v1/projects

API Key Authentication

API keys enable server-to-server integration without user sessions. Generate keys from Account → API Keys in the dashboard.

Shell

-pink-400">curl -H -lime-400">"X-API-Key: dm_live_your_key_here" \
  https:-lime-400">"text-neutral-500">//api.donutme.xyz/api/v1/projects/{projectId}/transactions

Key Prefixes

Prefix	Environment
`dm_live_`	Production — real transactions
`dm_test_`	Test mode — no real funds

API Key Scopes

Each API key can be restricted to specific scopes:

Scope	Access
`projects:read`	List and get project details, settings, accepted networks
`projects:write`	Create, update, and manage projects
`transactions:read`	List and get transactions
`customers:read`	List and get customers
`customers:write`	Create and update customers
`payment_plans:read`	List and get payment plans
`payment_plans:write`	Create and update payment plans
`admin`	Webhook management, API key management

Note: A key with no scopes (scopes: []) has full access to all endpoints. Always use minimum required scopes in production.

Key Management

Keys are shown only once at creation — store securely
Revoke compromised keys immediately from the dashboard
Use the minimum scopes required for your integration
Rotate keys periodically as a security best practice

Login Methods

Method	Description
Email + Password	Traditional email/password authentication
Google OAuth	Sign in with Google account
Passkeys	Passwordless authentication via WebAuthn

Session Lifecycle

Login → Returns a session token
Use token → Include in Authorization: Bearer header
Refresh → Sessions auto-refresh before expiry
Logout → Invalidates the session

Passkey Registration

Users can register passkeys for passwordless login:

Navigate to Account Settings → Security
Click Add Passkey
Follow your device's biometric/PIN prompt
Passkey is registered and can be used for future logins

Roles & Permissions

System Roles

Role	Description
`super_admin`	Full system access
`manager`	Manage users and settings
`user`	Standard user access

Project Roles

Role	Description
`owner`	Full project control
`admin`	Manage project settings and members
`member`	Create and manage resources
`viewer`	Read-only access

Permissions are enforced using CASL on both frontend and backend.