Skip to main content

Overview

The Monieswitch API uses API token-based authentication to secure all requests. This guide covers how to obtain, use, and manage your API credentials safely.

API Key Types

Monieswitch provides two types of API keys, each designed for specific use cases:

Public Keys (Publishable Keys)

  • Use case: Client-side integrations and Monieswitch Checkout
  • Security: Safe to expose in frontend code and mobile applications
  • Prefix: pk_live_ (production) or pk_test_ (sandbox)
  • Capabilities: Limited to creating payment sessions and retrieving public data

Secret Keys (Private Keys)

  • Use case: Server-side integrations and full API access
  • Security: Must be kept confidential and stored securely
  • Prefix: sk_live_ (production) or sk_test_ (sandbox)
  • Capabilities: Full API access including sensitive operations
Security Best Practices: - Store SECRET_KEY tokens in environment variables, never in code - Never commit secret keys to version control systems
  • Avoid sharing secret keys in public channels, logs, or CI/CD configurations
  • Regularly rotate your API keys for enhanced security - Use different keys for different environments (development, staging, production)

Getting Your API Keys

  1. Log in to your Monieswitch Dashboard
  2. Navigate to Settings → API Keys
  3. Generate new keys or copy existing ones
  4. Store them securely in your application’s environment variables
For detailed steps, see our API Token Creation Guide.

Making Authenticated Requests

Authentication Method

Monieswitch uses Bearer Token authentication. Include your secret key in the Authorization header of every API request:

Example Request

Code Examples

Base URL

All API endpoints are accessible from:

Environment Variables Setup

Sandbox Environment

Create a .env file in your project root:

Live Environment

Set environment variables in your hosting platform:

Key Management Best Practices

Key Rotation

  • Rotate API keys periodically (recommended: every 90 days)
  • Generate new keys before revoking old ones to prevent service interruption
  • Update all applications and services with new keys before revocation

Access Control

  • Use different keys for different services or applications
  • Implement key-specific scoping when available
  • Monitor key usage through your dashboard

Incident Response

If you suspect a key has been compromised:
  1. Immediately revoke the compromised key from your dashboard
  2. Generate a new key pair
  3. Update all affected applications
  4. Monitor for any unauthorized usage

Troubleshooting

Common Authentication Issues

Getting Help

If you’re experiencing authentication issues: