Skip to content

API keys

Last updated: June 29, 2022

Manage your keys in the Dashboard

From the Developers page in Dashboard, you can:

  • List and view your keys.
  • Create new keys.
  • Edit or delete existing keys.

Any user with Developer or Admin permissions can view or create keys, but only users with the Owner permission are able to edit or delete existing keys.

See our Developers documentation for more information.

If you're using an e-commerce platform, you need to assign only one processing channel to your public and secret API keys.


Public API keys

Public API keys are used for client-side authentication and only have access to a limited set of our APIs – mostly those called as part of your payment environment. You'll use them when tokenizing card information through Frames or for Google Pay, and in our Mobile SDKs and E-commerce Platforms.


Secret API keys

Secret API keys are used for server-to-server authentication and are supported across most of our endpoints (see our API reference). If you want to use key authentication on an endpoint where it isn't specified in our API reference, please email support@checkout.com.

You can choose how you want your secret API keys configured:

  • A single key that has access to all of the APIs you want to use.

  • Multiple keys, each of which has access to a specific set of APIs you will use.

Store your secret API keys securely, as they can be used to perform sensitive actions through the API. Any exposure of your secret API keys puts your account security at risk.


Multiple key use case

For example, you might have separate systems for processing payments and managing disputes. Each one has different security requirements, and you don't want the disputes management system to have access to any sensitive information about payment processing. To keep them separate, you could have one secret key to access our Unified Payment API for payment processing, and a second secret key that only has access to our Disputes API for disputes management.


Using API key authentication

To use an API key in your request, you should provide it in the Authorization header with the Bearer Prefix.

Request example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
curl --location --request POST 'https://api.sandbox.checkout.com/payments/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer sk_sbox_wjvrysklsqjmrhn3yoexnshsl72' \
--data-raw '{
"source": {
"type": "card",
"number": "4242424242424242",
"expiry_month": 12,
"expiry_year": 2025
},
"amount": 100,
"currency": "EUR",
"reference": "ORD-175-759"
}'