The "401 UNAUTHORIZED" error is returned when there is an issue with the authentication information in the API request.
Example of an error response:
{
"resultInfo": {
"code": "UNAUTHORIZED",
"message": "Unauthorized request",
"codeId": "08100016"
},
"data": null
}
1. When "UNAUTHORIZED (code: 08100016)" occurs in the test environment
Create a Code (code payment) and other APIs in the test environment may cause this error. Please check the following three points.
① Generation of HMAC authentication header
Authorization header signature may be invalid (HMAC authentication not generated correctly).
For how to generate the HMAC signature, please refer to the following article.
https://www.paypay.ne.jp/opa/doc/jp/v1.0/api_authorization
(If not using SDK) First, generate the HMAC Auth header using the Example values here and confirm it matches the sample HMAC Auth header exactly. The header information sent with the request must exactly match the string used to generate the HMAC Auth header.
② Setting of merchantId
Please confirm that merchantId is correctly set in the request.
How to set: When using SDK / When not using SDK
③ Check Epoch (UNIX time)
Please confirm that the Epoch set in the HMAC header is the current date and time (in seconds). If the server's clock is off or there is a difference of 2 minutes or more from the current date and time, an error will occur.
2. When "UNAUTHORIZED" occurs after switching to the production environment
The production environment has IP address restrictions for enhanced security.
Please confirm you are accessing from the IP address registered at the time of production application. If you have not registered an IP address or need to change/add one, please contact us via the form here to register the IP address.
Note: If you are using the SDK, please also check the following FAQ.
How should I switch from the test environment to the production environment when using the SDK?
3. Other main causes and solutions
If neither 1 nor 2 applies, the following causes may also be considered.
Cause |
Solution |
|---|---|
| Incorrect API key or Secret | Please check in the management screen that the API key/API Secret is not incorrect. |
| Mixing environments | Check if test keys are being used in the production environment, and verify the request URL and key environment. |
| Incorrect request URL |
Please check if the request URL (endpoint) is correct. Common mistake: Correct: /v2/code/payments/{merchantPaymentId} |
| Missing headers | Please confirm that the `Authorization` and `X-ASSUME-MERCHANT` headers exist with correct values in the sent headers. |
| Missing required parameters |
merchantId and other required parameters in the request may be missing. Please check. |
| Incorrect callback domain | Please confirm that the domain registered in the management screen matches the domain specified in the request. |
4. How to proceed with checks
When an error occurs, please investigate in the following order.
1. Check HMAC, `merchantId`, and Epoch in the test environment.
2. Check IP restrictions and environment mixing in the production environment.
3. Check URL / headers / required fields / domain.