Moosyl logo

API Keys

API keys are essential for authenticating with Moosyl's services. This guide covers how to manage, secure, and use your API keys effectively.

Overview

Moosyl provides two types of API keys:

  • Publishable Keys (pk_...): Safe for client-side use (Flutter, React apps)
  • Secret Keys (sk_...): Must be kept secure, only for backend use

Getting Your API Keys

1. Sign Up for Moosyl

  1. Visit moosyl.com and create an account
  2. Complete the account verification process
  3. Access your dashboard

2. Generate API Keys

  1. Navigate to API Keys in your dashboard
  2. Click "Create New Key"
  3. Choose key type:
    • Publishable Key (for client-side)
    • Secret Key (for backend)
  4. Copy and store securely

3. Test vs Live Keys

  • Test Keys (pk_test_..., sk_test_...): For development and testing
  • Live Keys (pk_live_..., sk_live_...): For production transactions

Key Types Explained

Publishable Keys

Format: pk_test_... or pk_live_...

Usage:

  • Initialize payment interfaces in Flutter/React apps
  • Safe to expose in client-side code
  • Cannot perform sensitive operations

Example:

// Flutter
MoosylView(
  publishableApiKey: 'pk_test_1234567890abcdef',
  transactionId: 'txn_123',
  // ... other properties
)
// React
<MoosylProvider publishableKey="pk_test_1234567890abcdef">
  <PaymentForm />
</MoosylProvider>

Secret Keys

Format: sk_test_... or sk_live_...

Usage:

  • Create payment requests
  • Verify webhook signatures
  • Access sensitive account data
  • Must be kept secure

Example:

// Node.js Backend
const response = await fetch('https://api.moosyl.com/payment-request', {
  method: 'POST',
  headers: {
    'Authorization': 'sk_test_1234567890abcdef',
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    amount: 5000,
    transactionId: 'txn_123',
  }),
});

Security Best Practices

🔒 Keep Secret Keys Secure

❌ Never do this:

// DON'T: Expose secret key in client code
const secretKey = 'sk_live_1234567890abcdef'; // NEVER!

✅ Do this instead:

// DO: Use environment variables
const secretKey = process.env.MOOSYL_SECRET_KEY;

🔄 Rotate Keys Regularly

  1. Generate new keys in your dashboard
  2. Update your applications with new keys
  3. Revoke old keys after confirming new ones work
  4. Test thoroughly before revoking old keys

🏗️ Use Different Keys for Different Environments

Development:

MOOSYL_SECRET_KEY=sk_test_dev_1234567890abcdef
MOOSYL_PUBLISHABLE_KEY=pk_test_dev_1234567890abcdef

Staging:

MOOSYL_SECRET_KEY=sk_test_staging_1234567890abcdef
MOOSYL_PUBLISHABLE_KEY=pk_test_staging_1234567890abcdef

Production:

MOOSYL_SECRET_KEY=sk_live_1234567890abcdef
MOOSYL_PUBLISHABLE_KEY=pk_live_1234567890abcdef

🔍 Monitor Key Usage

  • Check dashboard logs for API key usage
  • Set up alerts for unusual activity
  • Review access patterns regularly
  • Monitor failed authentication attempts

Environment Setup

Flutter/React Apps

Environment Variables (.env file):

MOOSYL_PUBLISHABLE_KEY=pk_test_1234567890abcdef

Usage:

// Flutter
final publishableKey = const String.fromEnvironment('MOOSYL_PUBLISHABLE_KEY');
// React
const publishableKey = process.env.REACT_APP_MOOSYL_PUBLISHABLE_KEY;

Backend Services

Environment Variables:

MOOSYL_SECRET_KEY=sk_test_1234567890abcdef
MOOSYL_PUBLISHABLE_KEY=pk_test_1234567890abcdef

Usage:

// Node.js
const secretKey = process.env.MOOSYL_SECRET_KEY;
const publishableKey = process.env.MOOSYL_PUBLISHABLE_KEY;
# Python
import os
secret_key = os.getenv('MOOSYL_SECRET_KEY')
publishable_key = os.getenv('MOOSYL_PUBLISHABLE_KEY')

Key Management

Creating New Keys

  1. Log into your dashboard
  2. Go to API Keys section
  3. Click "Create New Key"
  4. Select key type and environment
  5. Set expiration date (optional)
  6. Copy the key immediately

Revoking Keys

  1. Find the key in your dashboard
  2. Click "Revoke"
  3. Confirm the action
  4. Update your applications with new keys

Key Permissions

You can restrict key permissions for enhanced security:

  • Payment Creation: Create payment requests
  • Webhook Verification: Verify webhook signatures
  • Account Access: Read account information
  • Transaction History: Access transaction data

Testing Your Keys

Verify Publishable Key

// Test if publishable key is valid
const response = await fetch('https://api.moosyl.com/account', {
  headers: {
    'Authorization': 'pk_test_1234567890abcdef',
  },
});

if (response.ok) {
  console.log('Publishable key is valid');
} else {
  console.log('Invalid publishable key');
}

Verify Secret Key

// Test if secret key is valid
const response = await fetch('https://api.moosyl.com/payment-request', {
  method: 'POST',
  headers: {
    'Authorization': 'sk_test_1234567890abcdef',
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    amount: 100, // Small test amount
    transactionId: 'test_' + Date.now(),
  }),
});

if (response.ok) {
  console.log('Secret key is valid');
} else {
  console.log('Invalid secret key');
}

Common Issues

Invalid API Key Error

Symptoms:

  • 401 Unauthorized responses
  • "Invalid API key" error messages

Solutions:

  1. Check key format: Ensure correct prefix (pk_ or sk_)
  2. Verify environment: Make sure you're using the right environment keys
  3. Check expiration: Keys may have expired
  4. Confirm permissions: Key may lack required permissions

Key Not Working in Production

Common causes:

  • Using test keys in production
  • Missing environment variables
  • Incorrect key format
  • Network/firewall issues

Debugging steps:

  1. Verify key type: Use live keys for production
  2. Check environment setup: Ensure variables are loaded
  3. Test with curl: Verify key works independently
  4. Check logs: Review application and API logs

Webhook Signature Verification Fails

Symptoms:

  • Webhook signatures don't match
  • Invalid signature errors

Solutions:

  1. Use correct secret key: Must match the webhook's secret
  2. Check payload format: Use raw request body
  3. Verify algorithm: Use HMAC-SHA256
  4. Check timing: Ensure clocks are synchronized

Key Rotation Strategy

Planned Rotation

  1. Schedule rotation (e.g., every 90 days)
  2. Generate new keys before expiration
  3. Update applications gradually
  4. Monitor for issues
  5. Revoke old keys after confirmation

Emergency Rotation

  1. Immediately revoke compromised keys
  2. Generate new keys
  3. Update all applications
  4. Monitor for unauthorized access
  5. Review security logs

Next Steps

Now that you understand API keys:

  • Set up your first integration using our Flutter SDK or React SDK
  • Configure webhooks for real-time payment notifications
  • Learn about webhook security in our webhooks guide
  • Review our FAQ for common questions
  • Test your integration thoroughly before going live

Support

Need help with API keys?

  • Check our FAQ for common issues
  • Email support: support@moosyl.com
  • Dashboard support: Use the built-in support system
  • Review logs: Check API usage in your dashboard

On this page

OverviewGetting Your API Keys1. Sign Up for Moosyl2. Generate API Keys3. Test vs Live KeysKey Types ExplainedPublishable KeysSecret KeysSecurity Best Practices🔒 Keep Secret Keys Secure🔄 Rotate Keys Regularly🏗️ Use Different Keys for Different Environments🔍 Monitor Key UsageEnvironment SetupFlutter/React AppsBackend ServicesKey ManagementCreating New KeysRevoking KeysKey PermissionsTesting Your KeysVerify Publishable KeyVerify Secret KeyCommon IssuesInvalid API Key ErrorKey Not Working in ProductionWebhook Signature Verification FailsKey Rotation StrategyPlanned RotationEmergency RotationNext StepsSupport
API Keys