API Keys

Key types

Type	Prefix	Use
Secret key	sk_sandbox_... / sk_live_...	Server-side — create payments, issue refunds, manage customers
Publishable key	pk_sandbox_... / pk_live_...	Client-side — initialize the widget, tokenize cards

Never expose a secret key in browser code, mobile apps, or public source repositories.

Key format

All keys follow the pattern:

{type}_{mode}_{32 alphanumeric characters}

Examples:

• sk_sandbox_aB3cD4eF5gH6iJ7kL8mN9oP0qR1sT2uV
• pk_live_wX3yZ4aB5cD6eF7gH8iJ9kL0mN1oP2qR

Viewing keys

Navigate to Settings → API Keys. For security, only the last few characters of each key are shown after creation. The full key is visible exactly once — immediately after it is created.

Creating a new key

1. Go to Settings → API Keys
2. Click New Key
3. Enter a descriptive name (e.g. “Production server”, “CI pipeline”)
4. Copy the full key immediately and store it securely

Primary keys

Each account has one primary secret key and one primary publishable key. The primary key is the default used by the dashboard’s built-in tools.

Promoting a key to primary automatically demotes the previous primary. Both keys remain active.

Revoking keys

Click Revoke on any key to invalidate it immediately. Revoked keys return a 401 authentication_error on all requests. Revocation cannot be undone — create a new key to replace a revoked one.

Key expiry

When creating a key, you can set an optional expires_at date. Expired keys behave identically to revoked keys.

Tip

Rotate secret keys when team members leave or if you suspect exposure. Create a replacement key and deploy it to your server before revoking the old one to avoid downtime.