# API keys

This topic describes API keys and how to use them in Rebilly.

The following key types are available:

- Secret key: Use to authenticate requests on a server. By default, secret keys can be used to perform any API request without restriction. Secret keys must be kept secret and stored securely in the server-side code of your web or mobile application.
- Publishable key: Use to tokenize payment information in your client-side code. Publishable keys are publicly accessible in a web browser or mobile application. Publishable keys are mainly used to create tokens, which are a representation of a payment source that hides sensitive information.


When interacting with the Rebilly API, you use your organization ID and secret key to authenticate requests. This CURL request describes how to authenticate a request using a secret key. To obtain your secret key, see [Obtain a secret key](#obtain-a-secret-key). To obtain your organization ID, see [Obtain an organization ID](/docs/settings/organizations-and-websites#obtain-your-organization-id-and-website-id).


```curl
curl 'https://api-sandbox.rebilly.com/organizations/your_organization_id' \
-H 'REB-APIKEY: your_secret_API_key'
```

## API key format

API keys use the following format: `type_environment_tokenizedPayload`

| Type of key | Example |
|  --- | --- |
| Secret key in the sandbox environment | `sk_sandbox_K7W_ZG1OvxkXmtDx2kaE39IN2YZF0INVcqsdgXl` |
| Publishable key in the live environment | `pk_live_CaDB_u9Jb6JeeaR_p811KmwiGTyJOmg1WInsmuo` |


## Manage API keys

This section describes how to manage API keys.

### Create an API key

Use this process to create new API keys.

1. In the left navigation bar, press .
2. In the **Development** section, press **API keys**.
3. In top right of the screen, press **Create API key**.
4. In the **API key name** field, enter a recognizable name for the key.
5. In the **API key type** section, select **Secret** or **Publishable**.
6. Optionally, in the **Organizations** dropdown, select an organization to associate with the key.
7. Optionally, in the **Allowed IPs** field, enter a list of IP address that are permitted to use the API key. 
Note: Leaving **Allowed IPs** field empty allows all IP addresses.
8. Press **Save API Key** to store API key.


### Obtain an API key

Use this process to view and obtain API keys.

1. In the left navigation bar, press .
2. In the **Development** section, press **API keys**.
3. In the API keys table, under the **Key** column, press .


### Obtain a publishable API key

Use this process to obtain a publishable API key. This key is required to interact with the Rebilly API.

1. In the left navigation bar, press .
2. In the **Development** section, press **API keys**.
3. Optionally, if you have not created a publishable key:
  1. In top right of the screen, press **Create API key**.
  2. In the **API key type** section, select **Publishable**.
  3. Optionally, in the **Organizations** dropdown, select the organizations that can use the API key.
  4. Optionally, in the **Allowed IPs** field, enter the IP addresses that are permitted to use the API key.
  5. Press **Save API key**.
  6. Go to the API keys page.
4. Select a publishable key and copy the **Key** value.


### Obtain a secret key

Use this process to obtain a secret key.

1. In the left navigation bar, press .
2. In the **Development** section, press **API keys**.
3. Optionally, if you have not created a secret key:
  1. In top right of the screen, press **Create API key**.
  2. In the **API key type** section, select **Secret**.
  3. Optionally, in the **Organizations** dropdown, select the organizations that can use the API key.
  4. Optionally, in the **Allowed IPs** field, enter the IP addresses that are permitted to use the API key.
  5. Press **Save API key**.
  6. Go to the API keys page.
4. Select a secret key and copy the **Key** value.


### Edit or delete an API key

Use this process to edit or delete an API key.

Key deletion is permanent.

1. In the left navigation bar, press .
2. In the **Development** section, press **API keys**.
3. Select from the following:
  - Edit an API key:
    1. In the API keys table, under the **Name** column, press an API key.
    2. Edit the API key, then press **Save API key**.
  - Delete an API key: In the API keys table, on the right of an API key, press .


## Associate keys with organizations

To ensure that an API request is handled by the intended Rebilly account, always include the `organizationId` in the request URL. API keys are associated with the user who creates them. In Rebilly, a user may be a member of one or more organizations, and may also join or leave organizations. Example: `https://api-sandbox.rebilly.com/organizations/{organizationId}/customers`.

To associate an API key with an organization, when you create or edit a key, in the **Organizations** dropdown, select an organization. For more information, see [Create an API key](#create-an-api-key) or [Edit an API key](#edit-or-delete-an-api-key).