Rebilly has two types of API keys: secret and publishable. Depending on the API operation, you may authenticate with API keys or JWT.
The secret key should never be shared or published to the browser. The publishable key is intended to be shared and published to the browser. As such, there is a very limited number of API operations that are compatible with a publishable key, such as creating a payment token.
Here is an example key:
pk_sandbox_CaDB_u9Jb6JeeaR_p811KmwiGTyJOmg1WInsmuo. The key is structured in a way that has semantic meaning intended to prevent confusing secret and publishable keys.
The secret keys always start with
sk_, while the publishable keys always start with
After that, the environment is designated with either a
sandbox. After that, the key content begins.
Generate a new key in automations > integrations > custom integrations > add a new key.
A key may be scoped to a specific organization. Keys are associated to the users that create them. A user may be a member of one or more organizations (and they may join or leave more organizations at any time). They key allows for sending requests on behalf of the user. Therefore, it is important to send the
organization-id in the header of each API request to ensure it is handled by the correctly intended Rebilly account. Additionally, you may scope a key to a specific organization too.
You may delete API keys at any time. Key deletion is permanent, so be careful prior to deleting API keys.