> ## Documentation Index
> Fetch the complete documentation index at: https://docs.monieswitch.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Secure your API integration with Monieswitch's token-based authentication system

## Overview

The Monieswitch API uses API token-based authentication to secure all requests. This guide covers how to obtain, use, and manage your API credentials safely.

## API Key Types

Monieswitch provides two types of API keys, each designed for specific use cases:

### Public Keys (Publishable Keys)

* **Use case**: Client-side integrations and Monieswitch Checkout
* **Security**: Safe to expose in frontend code and mobile applications
* **Prefix**: `pk_live_` (production) or `pk_test_` (sandbox)
* **Capabilities**: Limited to creating payment sessions and retrieving public data

### Secret Keys (Private Keys)

* **Use case**: Server-side integrations and full API access
* **Security**: Must be kept confidential and stored securely
* **Prefix**: `sk_live_` (production) or `sk_test_` (sandbox)
* **Capabilities**: Full API access including sensitive operations

<Warning>
  **Security Best Practices:** - Store SECRET\_KEY tokens in environment
  variables, never in code - Never commit secret keys to version control systems

  * Avoid sharing secret keys in public channels, logs, or CI/CD configurations
  * Regularly rotate your API keys for enhanced security - Use different keys
    for different environments (development, staging, production)
</Warning>

## Getting Your API Keys

1. Log in to your [Monieswitch Dashboard](https://dashboard.monieswitch.com)
2. Navigate to **Settings** → **API Keys**
3. Generate new keys or copy existing ones
4. Store them securely in your application's environment variables

For detailed steps, see our [API Token Creation Guide](/account/api-keys).

## Making Authenticated Requests

### Authentication Method

Monieswitch uses **Bearer Token** authentication. Include your secret key in the `Authorization` header of every API request:

```http theme={"system"}
Authorization: Bearer sk_live_your_secret_key_here
```

### Example Request

```bash theme={"system"}
curl -X GET "https://nini.monieswitch.com/payments" \
  -H "Authorization: Bearer sk_live_your_secret_key_here" \
  -H "Content-Type: application/json"
```

### Code Examples

<CodeGroup>
  ```javascript JavaScript (Node.js) theme={"system"}
  const headers = {
    Authorization: `Bearer ${process.env.MONIESWITCH_SECRET_KEY}`,
    "Content-Type": "application/json",
  };

  const response = await fetch("https://nini.monieswitch.com/payments", {
    method: "GET",
    headers: headers,
  });
  ```

  ```python Python theme={"system"}
  import os
  import requests

  headers = {
      'Authorization': f'Bearer {os.environ.get("MONIESWITCH_SECRET_KEY")}',
      'Content-Type': 'application/json'
  }

  response = requests.get('https://nini.monieswitch.com/payments', headers=headers)
  ```

  ```php PHP theme={"system"}
  $headers = [
      'Authorization: Bearer ' . getenv('MONIESWITCH_SECRET_KEY'),
      'Content-Type: application/json'
  ];

  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, 'https://nini.monieswitch.com/payments');
  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  $response = curl_exec($ch);
  curl_close($ch);
  ```
</CodeGroup>

## Base URL

All API endpoints are accessible from:

```
https://nini.monieswitch.com
```

## Environment Variables Setup

### Sandbox Environment

Create a `.env` file in your project root:

```bash theme={"system"}
# Sandbox keys for testing
MONIESWITCH_PUBLIC_KEY=pk_test_your_public_key_here
MONIESWITCH_SECRET_KEY=sk_test_your_secret_key_here
```

### Live Environment

Set environment variables in your hosting platform:

```bash theme={"system"}
# Production keys
MONIESWITCH_PUBLIC_KEY=pk_live_your_public_key_here
MONIESWITCH_SECRET_KEY=sk_live_your_secret_key_here
```

## Key Management Best Practices

### Key Rotation

* Rotate API keys periodically (recommended: every 90 days)
* Generate new keys before revoking old ones to prevent service interruption
* Update all applications and services with new keys before revocation

### Access Control

* Use different keys for different services or applications
* Implement key-specific scoping when available
* Monitor key usage through your dashboard

### Incident Response

If you suspect a key has been compromised:

1. Immediately revoke the compromised key from your dashboard
2. Generate a new key pair
3. Update all affected applications
4. Monitor for any unauthorized usage

## Troubleshooting

### Common Authentication Issues

| Issue              | Cause                    | Solution                                          |
| ------------------ | ------------------------ | ------------------------------------------------- |
| `401 Unauthorized` | Invalid or missing token | Verify your key is correct and properly formatted |
| `403 Forbidden`    | Using wrong key type     | Ensure you're using a secret key for API requests |
| `Token expired`    | Key has been revoked     | Generate a new key from your dashboard            |

### Getting Help

If you're experiencing authentication issues:

* Check our [Error Handling Guide](/api-reference/errors) for detailed error codes
* Contact support at [support@monieswitch.com](mailto:support@monieswitch.com)