# Documentation overview
Mandarin documentation describes how to connect payment services — from ready-made no-code solutions to full API integration.
# Where to start
- Without development — Easy start: payout forms, registries, unified payment form, CMS plugins.
- With development — Basics → Basic principles → the section you need under Services.
- Terms — Glossary.
- Industry scenarios — Mandarin knowledge base (opens new window).
# Request authentication
The method depends on which API you use.
# X-Auth
Used in the main Public API: payment acceptance, payouts, tokenization, simplified identification.
Each request includes an X-Auth header — a string built from merchantId, a signature, and a unique requestId. The signature is SHA256 of merchantId, requestId, and Secret. This confirms the request comes from the account owner and helps prevent replay attacks.
Credentials (merchantId and Secret) are taken from the personal account.
Details: Basic principles — authentication.
# OAuth 2.0 (Bearer)
Used in Business API, self-employed API, and BaaS (routing).
First, obtain an access_token via OAuth 2.0 with the client_credentials grant, then send it in the Authorization: Bearer {token} header. The token is valid for a limited time (usually 10 hours); request a new one when it expires.
client_id and client_secret are issued by Support (opens new window).
Details: Business API, Self-employed, BaaS.
# X-Api-Key
Used in the unified payment form API (invoice creation).
The API key is created in the personal account in payment link settings (Integration section) and sent in the Authorization: X-Api-Key: {key} header.
Details: Easy start — unified payment form.
# Callback notifications
Notifications from Mandarin to your callbackUrl are signed with the sign field. Verify the signature on your side before processing the operation status.
Details: sign verification.
# Sandbox and production
Behavior depends on the service:
- Main Public API (payments, payouts, tokenization) — the environment is determined by credentials: a test
Secretuses sandbox, a productionSecretuses production. The API URL is the same. - Simplified identification, self-employed, BaaS, and other services — access to the test environment and OAuth applications is configured by Support (opens new window). See the Testing section for setup details.
Test requests do not result in real transactions in banking systems. More details are in Basics.
Basics →