API Key Types
| Type | Prefix | Use |
|---|---|---|
| Live | sk_live_ | Production environment |
| Test | sk_test_ | Sandbox/testing environment |
Important: Keep your API keys secure. Never expose them in client-side code or public repositories.
Creating API Keys
Via Dashboard
- Log in to the Enterprise Dashboard
- Go to Developers → API Keys
- Click Create API Key
- Configure the key:
| Field | Description |
|---|---|
| Name | Descriptive name (e.g., “Production Server”, “POS Integration”) |
| Environment | Live or Test |
| Scopes | Which API endpoints the key can access |
| Expiration | Optional expiration date |
- Click Create
- Copy the key immediately — it won’t be shown again
Key Display
After creation, you’ll see:Using API Keys
Authorization Header
Include the API key in theAuthorization header:
cURL Example
JavaScript Example
Python Example
Scopes
API keys can be restricted to specific scopes:| Scope | Description |
|---|---|
invoices:read | View invoices |
invoices:write | Create and update invoices |
payment-links:read | View payment links |
payment-links:write | Create payment links |
clients:read | View clients |
clients:write | Create and update clients |
payouts:read | View payouts |
payouts:write | Create payouts |
disbursements:read | View disbursements |
disbursements:write | Create disbursements |
webhooks:read | View webhook endpoints |
webhooks:write | Manage webhook endpoints |
Full Access
To create a key with full access, select all scopes or use the “Full Access” option.Minimal Scopes
For security, use the minimum scopes necessary. For example, a reporting integration might only need:invoices:readpayouts:readclients:read
Managing API Keys
Viewing Keys
Go to Developers → API Keys to see all keys:| Column | Description |
|---|---|
| Name | Key name |
| Environment | Live or Test |
| Created | Creation date |
| Last Used | Most recent API call |
| Scopes | Permitted operations |
| Status | Active or Revoked |
Revoking Keys
To revoke a key:- Go to Developers → API Keys
- Find the key to revoke
- Click Revoke
- Confirm the action
401 Unauthorized response.
Rotating Keys
To rotate a key (create new, revoke old):- Create a new API key with the same scopes
- Update your application to use the new key
- Verify the new key works
- Revoke the old key
Key Expiration
Set expiration dates for enhanced security:- Keys expire automatically at midnight UTC on the expiration date
- Expired keys return
401 Unauthorized - Set reminders to rotate keys before expiration
Security Best Practices
Do
- Store keys in environment variables
- Use separate keys for different environments (dev, staging, production)
- Use minimal scopes for each integration
- Rotate keys periodically
- Revoke unused keys
- Monitor key usage in the dashboard
Don’t
- Commit keys to version control
- Share keys via email or chat
- Use live keys in development
- Use a single key for multiple applications
- Ignore key security warnings
Environment Variables
Store keys in environment variables:Troubleshooting
401 Unauthorized
| Cause | Solution |
|---|---|
| Missing header | Add Authorization: Bearer <key> |
| Invalid key | Check for typos, verify key is correct |
| Revoked key | Create a new key |
| Expired key | Create a new key |
| Wrong environment | Use sk_live_ for production, sk_test_ for sandbox |
403 Forbidden
| Cause | Solution |
|---|---|
| Insufficient scopes | Create a new key with required scopes |
| Resource not accessible | Verify you have access to the resource |
API Key Webhooks
Get notified about key events:| Event | Description |
|---|---|
api_key.created | New key created |
api_key.revoked | Key was revoked |
api_key.expiring | Key expires in 7 days |
api_key.expired | Key has expired |
Next Steps
- API Overview — API basics and endpoints
- Webhooks — Receive event notifications
- Invoices API — Create invoices programmatically