API Authentication#
All API requests to Plexy must be authenticated. For server-side requests, use your API key in the request header.Include your API key in the Authorization header using the scheme:Test and live mode#
Plexy uses the same API endpoint for test and live traffic. The API key determines the mode:Use a test API key to run simulated transactions without moving money.
Use a live API key for production payments.
Keep the client SDK environment set to live/APSE (live-apse, Environment.apse, Environment.APSE, or Environment.liveApse). Do not switch Plexy SDK environment values away from live/APSE.
See Test and Live Payments for the full flow.Never expose your secret API key in client-side code. Use client-side
authentication for frontend
applications.
Security best practices#
1.
Store keys securely - Use environment variables or a secrets manager
2.
Rotate keys regularly - Generate new keys periodically
3.
Use separate keys - Different keys for each environment and merchant account
4.
Monitor usage - Review API logs for unauthorized access attempts
Client-Side Authentication#
For frontend applications, use client keys instead of secret API keys. Client keys are designed to be safely included in client-side code.Client keys#
Client keys have the prefix pb_ and can only perform limited operations:Initialize payment sessions
Retrieve public configuration
Get a client key#
Go to Developers > Settings > API Keys in your Dashboard.For APSE integrations, use a clientKey and x-api-key from the same merchant account and mode. For test transactions, use the test API key; for production, use the live API key. The backend still calls https://api.plexypay.com/v2/sessions; APSE is selected by the client SDK environment, not by a field in the /v2/sessions body.
Payment sessions#
For sensitive operations, use server-generated payment sessions:1
Create session (server-side)
2
Use session (client-side)
Security considerations#
Never use secret API keys (pr_) in client-side code. They will be visible to
anyone who inspects your application.
| Do | Don't |
|---|
Use client keys (pb_) in frontend | Expose secret keys (pr_) in frontend |
| Restrict domains | Allow all domains |
| Use payment sessions for amounts | Pass amounts from client |
| Validate on server | Trust client-side data |
See also#
API Authentication - Server-side authentication