API Keys
Available via: Dashboard only
The API Keys section in Settings lets you manage the credentials your integration uses to call the Inflow API and the SDK.
Two Keys, Two Purposes
| Key | Header | Where to use |
|---|---|---|
Private Key (inflow_prod_...) | X-Inflow-Api-Key | Server-side calls only — payments, subscriptions, webhooks, refunds, customers, payouts. |
Public Key (inflow_pub_prod_...) | X-Inflow-Public-Key | Client-side SDK only — used by the iframe card form. |
Inflow currently only exposes the production environment to merchants — the keys you generate from the dashboard are live keys (
inflow_prod_.../inflow_pub_prod_...) and every API call against them is real money. A dedicated sandbox / test environment is on our roadmap and will be released soon.
Both keys are scoped to your Inflow account. Once the sandbox launches, you will get a separate pair of test keys with their own prefix.
Where to Find Them
The Developer page is the single source for both keys — you generate, rotate, and copy your private key and your public SDK key from the same screen.
- Open your Inflow Dashboard.
- Go to Settings → API Keys, or jump directly to dashboard.inflowpay.com/devs.
- Copy the keys you need. The private key is masked by default — click Reveal to display it.
Creating or Rotating a Key
You can create a new key or rotate an existing one from the same screen. Rotation is immediate: the previous key stops working as soon as the new one is generated.
- Click Regenerate next to the key you want to rotate.
- Confirm — the new key is shown once. Copy it immediately.
- Update every environment that uses the old key (server, SDK config, CI secrets, deploy variables).
Only members with Admin or Owner role can create or rotate API keys. See Team & Members for role definitions.
Security Best Practices
- Never expose your private key in frontend code. Keep it on your backend or in a secret manager.
- The public key is safe to ship to the browser, but it can only call SDK endpoints.
- Use environment variables in development and a secrets manager in production.
- Rotate the private key if it leaks, if a teammate with access leaves, or on a regular cadence.
- Pair API key access with Two-Factor & Security on the dashboard account that holds those keys.
Related
- Get Your API Keys — quickstart for first-time integration.
- Authentication & API Keys — request format and headers.
Updated 2 days ago