Authentication & API Keys
Every Inflow API call is authenticated with one of two keys you get from your dashboard. This section covers what each key is for, where to put it, and how to structure the rest of your request.
The two keys, in one table
| Key | Header | Where it belongs |
|---|---|---|
Private Key (inflow_prod_...) | X-Inflow-Api-Key | Server-side only — payments, subscriptions, webhooks, refunds, customers, payouts. Never ship this to a browser. |
Public Key (inflow_pub_prod_...) | X-Inflow-Public-Key | Client-side SDK only — used by the iframe card form to tokenize card data. Safe to embed in front-end code. |
Today, the only environment exposed to merchants is production — every key you can generate is a live key (
inflow_prod_.../inflow_pub_prod_...) and every request hits the real-money API. A dedicated sandbox / test environment is on the roadmap and will be released soon.
For a deeper walk-through of the dashboard UI to retrieve and rotate your keys, see Get Your API Keys in Getting Started, or API Keys in Platform Settings.
What's in this section
| Page | Use it when |
|---|---|
| Base URLs & Request Format | Structuring your first request — base URLs per resource, required headers, status codes, error format. |
Quick request example
curl -X POST https://api.inflowpay.xyz/api/checkout/payment \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "X-Inflow-Api-Key: inflow_prod_your_key" \
-d '{
"products": [{ "name": "Product", "price": 4999, "quantity": 1 }],
"currency": "EUR",
"customerEmail": "[email protected]",
"successUrl": "https://yoursite.com/success"
}'See Base URLs & Request Format for the full reference, including subscription and link prefixes and the dedicated card-payments base URL.
Updated 7 days ago