Skip to main content

Authentication

TLS (HTTPS) compliant endpoints are required to ensure connection security and prevent man-in-the-middle attacks. Credo products are secured from unauthorized use by restricting API calls to those that provide proper authentication credentials in the form of API Keys.

An API key is a unique identifier that authenticates payment requests associated with your Credo Account. Both Demo and Live environments have a two-key set: a secret key and a public key.

The public key is meant to be utilized when calling endpoints from the client-side (browser, mobile app). You should only use the secret key when calling the API from a server, where it won't be exposed to others.

Your secret keys are meant to stay secret/hidden/private at all times.

Note: The test keys (retrieved from the demo/sandbox dashboard) only works with test data, no real cards are charged or accounts debited. Kindly utilize the test keys when setting up your integration and when done, you can use the live keys for final testing before you launch.

To get your keys

  • Log in to your Credo dashboard.
  • Navigate to Settings
  • Select the API Keys option in the Developer Settings section of the menu to view and copy your keys.

Important

If you think your keys may have been compromised (for instance, you accidentally committed them to Git), you should immediately generate new ones using the Regenerate keys button on the API Keys page on your dashboard. This will invalidate all existing keys and give you a new set, and you can then update your app to use the new ones.