Beginner 10 min

Authenticate Your API Integration Securely

API keys, environment variables, and key rotation — the secure integration foundation every developer needs before going live.

Understanding API Key Types

The Payments API uses two key types with different access scopes and security requirements:

Key Type	Prefix	Access Level	Where to Use
Secret key	`sk_test_` / `sk_live_`	Full API access — create transfers, manage accounts, read all data	Server-side only. Never in browser, mobile app, or version control.
Publishable key	`pk_test_` / `pk_live_`	Read-only client-side operations — tokenize account data for submission	Safe for client-side code. Cannot create transfers or read sensitive data.

⚠ Secret key leaks are critical incidents

If your sk_live_ key is exposed in a public repo, version control history, or application logs — rotate it immediately. A leaked secret key grants full access to create and cancel transfers on your account.

Store Keys Securely with Environment Variables

Never hardcode API keys in source code. Use environment variables and ensure your .env file is in .gitignore before making your first commit.

// .env — never commit this file
PAYMENTS_SECRET_KEY=sk_live_xxxxxxxxxxxxxxxx
PAYMENTS_WEBHOOK_SECRET=whsec_xxxxxxxxxxxxxxxx

// .gitignore — add this line
.env

// In your application
require('dotenv').config();
const apiKey = process.env.PAYMENTS_SECRET_KEY;
if (!apiKey) throw new Error('PAYMENTS_SECRET_KEY not set');

# .env — never commit this file
PAYMENTS_SECRET_KEY=sk_live_xxxxxxxxxxxxxxxx
PAYMENTS_WEBHOOK_SECRET=whsec_xxxxxxxxxxxxxxxx

# .gitignore
.env

# In your application
import os
from dotenv import load_dotenv

load_dotenv()
api_key = os.environ["PAYMENTS_SECRET_KEY"]  # raises if missing

# For CI/CD systems (GitHub Actions, etc.)
# Set as repository secrets — never in YAML files:

# GitHub Actions example:
# secrets.PAYMENTS_SECRET_KEY → injected as env var

env:
  PAYMENTS_SECRET_KEY: ${{ secrets.PAYMENTS_SECRET_KEY }}

# For AWS, use SSM Parameter Store or Secrets Manager:
aws ssm get-parameter \
  --name /paymentsapi/secret-key \
  --with-decryption \
  --query Parameter.Value \
  --output text

Rotate Keys Without Downtime

Rotate API keys periodically or immediately after any suspected exposure. The safe rotation procedure avoids any downtime:

Generate a new key in the PaymentsAPI dashboard — both old and new keys are now valid simultaneously.
Update your production servers/secrets manager with the new key.
Deploy the update and verify requests are succeeding with the new key.
Revoke the old key from the dashboard — it can no longer be used.

Best practice — key rotation schedule

Rotate your live secret key at minimum every 90 days, after any employee departure with key access, and immediately after any security incident. Automate rotation where possible using your cloud provider's secrets manager rotation feature.

You've completed the tutorial series!

← ACH Transfer ← Webhooks ← Sandbox Testing ← All Tutorials