Skip to main content

API key types

Every account has four API keys, two for each environment:
Key prefixTypeEnvironmentUse case
sk_live_SecretLiveServer-side API calls in production
pk_live_PublishableLiveClient-side tokenization in production
sk_test_SecretTestServer-side API calls in test mode
pk_test_PublishableTestClient-side tokenization in test mode

Secret keys

Secret keys (sk_live_*, sk_test_*) can perform any API operation: creating charges, issuing refunds, reading customer data, and more. They must never be exposed in client-side code, version control, or logs.

Publishable keys

Publishable keys (pk_live_*, pk_test_*) are safe to include in client-side code. They can only be used for a limited set of operations such as tokenizing payment methods. They cannot read or modify any existing resources.

HTTP Basic Auth

All API requests authenticate using HTTP Basic Auth. Set the username to your secret key and leave the password empty. 
# The trailing colon after the key indicates an empty password
curl https://api.leanrails.com/v1/payment_intents \
  -u "sk_test_your_key_here:"
If you omit authentication or provide an invalid key, the API returns a 401 response: 
{
  "error": {
    "type": "authentication_error",
    "code": "authentication_failed",
    "message": "Invalid API key provided.",
    "param": null,
    "doc_url": "https://docs.leanrails.com/errors/authentication_failed"
  }
}

Test mode vs live mode

Test and live environments are fully isolated at the database level. Data created with a test key is never visible to a live key, and vice versa.
  • Test mode (sk_test_*, pk_test_*): Use this for development and integration testing. No real money moves. Test card numbers like pm_card_visa are available.
  • Live mode (sk_live_*, pk_live_*): Use this in production. Real payment methods are charged.
Every API object includes a livemode boolean field so you can always verify which environment a resource belongs to. 
{
  "id": "pi_1abc123def456",
  "object": "payment_intent",
  "livemode": false,
  ...
}

Key rotation

You can roll your secret keys from the dashboard under Settings > API Keys > Roll Key. When you roll a key:
  1. A new key is generated immediately.
  2. The old key remains valid for 24 hours to allow a graceful transition.
  3. After 24 hours, the old key is permanently revoked.
Never commit API keys to version control. Use environment variables or a secrets manager.

Next steps