API keys

Rebilly has two types of API keys: secret and publishable. Depending on the API operation, you may authenticate with API keys or JWT.

The secret key should never be shared or published to the browser. The publishable key is intended to be shared and published to the browser. As such, there is a very limited number of API operations that are compatible with a publishable key, such as creating a payment token.

Key format

Here is an example key: pk_sandbox_CaDB_u9Jb6JeeaR_p811KmwiGTyJOmg1WInsmuo. The key is structured in a way that has semantic meaning intended to prevent confusing secret and publishable keys.

The secret keys always start with sk_, while the publishable keys always start with pk_.

After that, the environment is designated with either a live or sandbox. After that, the key content begins.

Create a new key

Generate a new key in automations > integrations > custom integrations > add a new key.

api keys

Scoping to organizations

A key may be scoped to a specific organization. Keys are associated to the users that create them. A user may be a member of one or more organizations (and they may join or leave more organizations at any time). They key allows for sending requests on behalf of the user. Therefore, it is important to send the organization-id in the header of each API request to ensure it is handled by the correctly intended Rebilly account. Additionally, you may scope a key to a specific organization too.

Deleting API keys

You may delete API keys at any time. Key deletion is permanent, so be careful prior to deleting API keys.