Security

Authentication

All API requests require authentication using an API key.

API Key Authentication

Include your API key in the X-API-Key header:

request.sh

curl -X POST "https://cashier.flowpayment.net/api/v1/checkout" \
  -H "X-API-Key: sk_live_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "merchant_id": "your_merchant_id",
    "amount": 150.00,
    "currency": "BRL",
    "country": "BRA",
    "success_url": "https://your-site.com/success",
    "cancel_url": "https://your-site.com/cancel"
  }'

Security

Keep your API key secure. Never expose it in client-side code or public repositories.

API Key Format

Prefix	Environment	Example
`sk_live_`	Production	`sk_live_abc123...`
`sk_test_`	Sandbox	`sk_test_xyz789...`

Alternative: Bearer Token

You can also use the Authorization header with Bearer token:

bash

curl -X POST "https://cashier.flowpayment.net/api/v1/checkout" \
  -H "Authorization: Bearer sk_live_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{...}'

Idempotency

Use the X-Idempotency-Key header to prevent duplicate requests:

bash

curl -X POST "https://cashier.flowpayment.net/api/v1/checkout" \
  -H "X-API-Key: sk_live_your_api_key" \
  -H "X-Idempotency-Key: order_12345_attempt_1" \
  -H "Content-Type: application/json" \
  -d '{...}'

If you send the same request with the same idempotency key within 24 hours, you'll receive the cached response instead of creating a new checkout session.

Authentication Errors

Status	Error	Description
`401`	Unauthorized	Missing or invalid API key
`403`	Forbidden	API key doesn't have permission for this resource
`409`	Conflict	Idempotency key is still processing
`422`	Unprocessable	Idempotency key used with different request body

Getting Your API Key

Go to Configuration → API Keys

Click Show API Key to reveal your key

Copy and store it securely

Tip

Use sandbox keys (sk_test_) for development and testing. Switch to live keys (sk_live_) when ready for production.

Security Best Practices

Environment Variables

Store API keys in environment variables, never in code

Key Rotation

Rotate your API keys periodically for better security

Server-Side Only

Never expose API keys in client-side JavaScript

Separate Keys

Use different keys for test and production environments