PlutoPay Docs
API Reference Dashboard ↗

#Authentication

PlutoPay authenticates every API request with an API key. Create and manage keys in the Dashboard under Developers → API keys.

#Key types

Type Prefix Use
Secret sk_live_… / sk_test_… Server-side only. Full access — create payments, refunds, manage terminals, register webhooks. Never expose in client code.
Publishable pk_live_… / pk_test_… Safe to embed in client apps — e.g. to confirm a payment with a client_secret and the Payment Element.

Send the secret key as a Bearer token in the Authorization header:

curl https://plutopayus.com/api/v1/merchant \
  -H "Authorization: Bearer sk_test_your_key_here"

Bearer only. PlutoPay does not support HTTP Basic auth (-u "sk_test_...:"). Always use the Authorization: Bearer header.

#Key lifecycle

A secret key is shown once, at creation. It is stored only as a hash and can never be retrieved again — copy it immediately into your secrets manager.

  • RotateRoll a key in the Dashboard to mint a replacement (shown once), optionally with a 24-hour grace window during which the old key keeps working.
  • Revoke — invalidates a key immediately.
  • Expire — keys may carry an expires_at; expired keys are rejected.

Missing, invalid, revoked, or expired keys return 401. A well-formed key whose merchant account is inactive returns 403. Both use the canonical error envelope.

#Test vs live mode

Every key is bound to a mode:

  • Test keys (sk_test_…, pk_test_…) run against Stripe test infrastructure. No real money moves. Use test cards.
  • Live keys (sk_live_…) move real money.

Test and live ride the same endpoints — only the key differs. Objects created with a test key are flagged is_test: true and are fully isolated from live data.

Next: Choosing an integration · Errors