API keys
Your account has two API keys. Find and manage them in the Developer section of your dashboard.
| Key | Prefix | Use it | Where |
|---|---|---|---|
| Publishable | sp_client_… | Identify your account in the browser | Front-end / embed widget |
| Secret | sp_secret_… | Authenticate API calls | Server only |
Publishable key
The publishable key is safe to include in client-side code. It tells the checkout widget which account a payment belongs to:
<iframe src="https://checkout.securepayapi.com/embed?pk=sp_client_…"></iframe>
Secret key
The secret key authorizes server-side API calls, such as creating a payment. Send it as a Bearer token:
curl https://checkout.securepayapi.com/api/v1/payment-intents \
-H "Authorization: Bearer sp_secret_…" \
-H "Content-Type: application/json" \
-d '{ "amount": 2000, "currency": "USD" }'
Caution
Never expose your secret key in front-end code, a public repository, or a mobile app. Anyone with it can create payments on your account. Keep it in server-side environment variables only.
Rotating keys
You can regenerate either key from the Developer section at any time. Regenerating immediately invalidates the old key, so update your integration before rotating in production.
Keeping keys safe
- Store the secret key in environment variables, not in code.
- Keep it out of version control, logs and client-side bundles.
- Rotate a key right away if you suspect it has leaked.