Authentication

Authenticate M2Square requests and design safe key rotation.

M2Square APIs use bearer tokens. Keys are environment-scoped and should never be embedded in browsers, mobile apps, or public repositories.

Request header

curl "$M2_BASE_URL/v1/balances" \
  -H "Authorization: Bearer $M2_API_KEY"

Idempotency keys

Send an idempotency key for write requests that may be retried.

curl "$M2_BASE_URL/v1/payouts" \
  -H "Authorization: Bearer $M2_API_KEY" \
  -H "Idempotency-Key: payout-vendor-4401" \
  -H "Content-Type: application/json" \
  -d '{ "amount": "250.00", "currency": "USDC" }'

If a retry uses the same idempotency key and payload, M2Square returns the original operation result.

Rotation pattern

Create a new key.
Deploy the new key to all backend services.
Confirm traffic uses the new key.
Keep the old key active through one retry window.
Revoke the old key and record the rotation in your change log.

Operational guidance

Scope keys by environment and service.
Store keys in a secret manager.
Alert on authentication failures above baseline.
Rotate immediately after suspected exposure.

Quickstart

Send your first sandbox request and process a settlement webhook.

Pay-ins & Payouts

Collect stablecoin payments and disburse funds to wallets, bank accounts, or local rails.

On this page

Request header Idempotency keys Rotation pattern Operational guidance