Authentication

Learn how to authenticate your API requests using API keys.

API Keys

The Cashier API uses API keys to authenticate requests. Each merchant has their own set of API keys that can be managed through the dashboard.

Important: Keep your API keys secure and never expose them in client-side code or public repositories.

Using Your API Key

Include your API key in every request using one of these methods:

Option 1: X-API-Key Header (Recommended)

X-API-Key Header
bash
curl -X POST https://cashier.flowpayment.net/api/v1/checkout \
  -H "X-API-Key: sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"amount": 100, "currency": "BRL", ...}'

Option 2: Authorization Bearer

Authorization Bearer
bash
curl -X POST https://cashier.flowpayment.net/api/v1/checkout \
  -H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"amount": 100, "currency": "BRL", ...}'

Key Types

L

Live Keys

Prefix: sk_live_

Use live keys in production. All transactions are real and will be processed through the actual payment providers.

T

Test Keys

Prefix: sk_test_

Use test keys during development. No real money is charged and transactions are simulated.

Managing API Keys

You can manage your API keys through the dashboard:

  1. Log in to the Dashboard
  2. Navigate to Merchants
  3. Select your merchant
  4. Click on API Keys
  5. Click Generate API Key to create a new key

Warning: The full API key is only shown once when created. Make sure to copy and store it securely. If you lose it, you'll need to generate a new one.

Error Responses

If authentication fails, you'll receive one of these errors:

Missing API Key

401 Unauthorized
json
{
  "detail": "API key required. Provide X-API-Key header or Authorization: Bearer <key>"
}

Invalid API Key

401 Unauthorized
json
{
  "detail": "Invalid API key"
}

Expired API Key

401 Unauthorized
json
{
  "detail": "API key expired"
}

Security Best Practices

  • Store API keys in environment variables, not in code
  • Use different keys for development and production
  • Rotate keys periodically and after any security incident
  • Revoke unused keys immediately
  • Never commit API keys to version control
  • Never expose keys in client-side JavaScript