Authentication

All API requests require authentication using your Secret Key. Learn how to securely authenticate your requests.

API Keys

Demo Gateway uses API keys to authenticate requests. You'll receive two types of keys:

Publishable Key (pk_...)

Safe to expose in client-side code. Used for tokenization requests from your frontend.

pk_test_...
Secret Key (sk_...)

Must be kept secret. Only use on your backend server. Never expose in client-side code.

sk_test_...

Security Warning

Never commit your Secret Key to version control or expose it in client-side code. Always store it as an environment variable on your server.

Bearer Token Authentication

All API requests must include your Secret Key in the Authorization header using the Bearer token format.

Authorization Header
Format for all API requests
Header Name:

Authorization

Header Value:

Bearer YOUR_SECRET_KEY

Code Example
// Include Authorization header in all requests
const response = await fetch('https://api.demo-gateway.com/v1/payments', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer sk_live_your_secret_key_here',
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    // ... request body
  }),
});

Test vs Production Keys

Environment Keys
Test Keys

Use test keys (pk_test_... and sk_test_...) for development and testing. Test payments won't charge real money.

Production Keys

Production keys (pk_live_... and sk_live_...) are available after account approval. Use these for live transactions.

Security Best Practices

Key Management
  • Store keys securely: Use environment variables or a secrets management service, never hardcode in your application
  • Rotate regularly: Change your keys periodically and immediately if you suspect they've been compromised
  • Use different keys: Never use production keys in development or test environments
  • Restrict access: Only give API key access to team members who need it, and revoke access when no longer needed

Authentication Errors

Common Errors
401 Unauthorized

The API key is missing, invalid, or expired. Check that you're using the correct Secret Key and it's properly formatted in the Authorization header.

403 Forbidden

The API key doesn't have permission to perform this action. Ensure you're using the correct key type (test vs production) and it has the required permissions.