Authentication & API Keys
API Key Types
Inflow uses two types of API keys:
| Key Type | Header | Prefix | Use Case |
|---|---|---|---|
| Private Key | X-Inflow-Api-Key | inflow_priv_ | Server-side API calls (create payments, manage subscriptions, webhooks) |
| Public Key | X-Inflow-Public-Key | inflow_pub_ | Client-side SDK initialization (card payment form) |
Private Key
Use your private key for all server-to-server API calls. This key has full access to your merchant account.
curl https://api.inflowpay.xyz/api/payment \
-H "X-Inflow-Api-Key: inflow_priv_your_key_here"Never expose your private key in frontend code, public repositories, or client-side JavaScript. Keep it on your server only.
Public Key
Use your public key to initialize the Inflow SDK on your frontend. This key can only access SDK endpoints and cannot perform sensitive operations.
const provider = new InflowPayProvider({
config: { apiKey: 'inflow_pub_your_key_here' }
});The public key is safe to include in browser-side code.
Where to Find Your Keys
- Log in to your Inflow Dashboard.
- Go to Settings.
- Find your API Keys section.
- Copy your Private Key and/or Public Key.
You can regenerate keys at any time from the Dashboard. Regenerating a key invalidates the previous one immediately.
Authentication Errors
| Status Code | Error | Description |
|---|---|---|
401 | Unauthorized | Missing or invalid API key |
403 | Forbidden | The key doesn't have permission for this endpoint |
Example error response:
{
"statusCode": 401,
"message": "Unauthorized",
"error": "Unauthorized"
}Security Best Practices
- Store your private key in environment variables, never in code.
- Use your public key only for the SDK — it cannot create payments or access sensitive data.
- Regenerate your keys immediately if you suspect they have been compromised.
- Use different keys for development and production environments.
Updated 1 day ago