API authentication
API keys, environments, and security practices.
All API requests are authenticated with an API key in the api-key header:
curl https://api.spicepay.net/payments \
-H "api-key: prd_****************" \
-H "Content-Type: application/json"
Key types
| Prefix | Type | Use |
|---|---|---|
prd_ |
Secret, production | Server-side only, real money |
snd_ |
Secret, sandbox | Server-side, test environment |
pk_prd_ / pk_snd_ |
Publishable | Browser-side only (hosted checkout) — safe to expose |
Secret keys grant full API access to your merchant account. Never ship them in client code, mobile apps, or public repositories. The publishable key is what the hosted checkout uses, always together with a payment's short-lived client_secret.
Managing keys
Create, label, and revoke secret keys in the Control Center. Keys are shown once at creation — store them in your secret manager.
- Create separate keys per service/integration, so one compromise or one revocation doesn't take everything down.
- Revocation is immediate.
- Set an expiry on keys used by short-lived integrations.
Your publishable key lives on the merchant account and is visible in the dashboard at any time.
Environments
Sandbox and production are fully separate: separate API keys, separate data, separate connector credentials. A snd_ key can never touch production data. Sandbox works with your processors' test credentials end to end, including webhooks.
Idempotency
Mutating endpoints are idempotent via resource IDs rather than a separate header: pass your own payment_id when creating a payment (or refund_id when creating a refund) and retries of the same request return the original result instead of creating a duplicate.
Webhook authenticity
Inbound API calls use the api-key header; outbound webhooks are HMAC-signed so you can verify they came from SpicePay — see Webhooks.