API keys

In the Developers page, you can:

You can view or create keys with the Developer permission. For edit or delete, you must have the Owner permission.

Public keys are used for client-side authentication and only have access to a limited set of our APIs – mostly those called as part of your payment environment. You'll use them when tokenizing card information through Frames or for Google Pay, and in our Mobile SDKs and E-commerce Platforms.

Secret keys are used for server-to-server authentication and are supported across most of our endpoints (see our API reference). If you want to use key authentication on an endpoint where it isn't specified in our API reference, please email support@checkout.com.

You can choose how you want your secret keys configured:

For example, you might have separate systems for processing payments and managing disputes. Each one has different security requirements, and you don't want the disputes management system to have access to any sensitive information about payment processing. To keep them separate, you could have one secret key to access our Unified Payment API for payment processing, and a second secret key that only has access to our Disputes API for disputes management.

To use an API key in your request, you should provide it in the Authorization header with the Bearer Prefix.

curl --location --request POST 'https://api.sandbox.checkout.com/payments/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer sk_sbox_wjvrysklsqjmrhn3yoexnshsl72' \
--data-raw '{
  "source": {
    "type": "card",
    "number": "4242424242424242",
    "expiry_month": 12,
    "expiry_year": 2025
  },
  "amount": 100,
  "currency": "EUR",
  "reference": "ORD-175-759"
}'