Skip to main content

API Key Management

Spotflow provides two types of API keys for different use cases: public keys and secret keys. You can manage these keys from your Spotflow dashboard.
  • Public Keys (pk_test_ for test mode, pk_live_ for live mode): Primarily used for client-facing integrations such as frontend applications, Spotflow Inline, and Mobile SDKs. These keys are designed to initiate payment collections but cannot modify account settings or access sensitive data. Public keys are safe to expose in client-side code.
  • Secret Keys (sk_test_ for test mode, sk_live_ for live mode): Used exclusively for server-to-server communications and backend integrations. These keys grant full access to your account and must be kept confidential. Never share your secret keys in public locations like code repositories (GitHub), client-side code, or other unsecured environments.

Authentication Process

All server-side API requests to Spotflow must be authenticated using your secret key. Here’s how to authenticate:
  • Include your secret key in the Authorization header of every request using the Bearer token format.
  • HTTPS is mandatory: All API requests must be made over HTTPS for secure communication. Requests made over plain HTTP will fail.
  • Authentication Failure: Calls made without proper authentication will result in a 401 Unauthorized status code response from the API.
Secure your API requests by including an Authorization header in the following format:

Authorization: Bearer SECRET_KEY

 
{
    "Authorization": "Bearer sk_test_6988f8d1539a48ab945764ec361fa3eb"
}
To test functionalities specific to your account, you’ll need to replace this sample key with your own. By following these guidelines, you can ensure secure and authorized access while integrating with Spotflow’s APIs.