#Authentication
PlutoPay authenticates every API request with an API key. Create and manage keys in the Dashboard under Developers → API keys.
#Key types
| Type | Prefix | Use |
|---|---|---|
| Secret | sk_live_… / sk_test_… |
Server-side only. Full access — create payments, refunds, manage terminals, register webhooks. Never expose in client code. |
| Publishable | pk_live_… / pk_test_… |
Safe to embed in client apps — e.g. to confirm a payment with a client_secret and the Payment Element. |
Send the secret key as a Bearer token in the Authorization header:
curl https://plutopayus.com/api/v1/merchant \
-H "Authorization: Bearer sk_test_your_key_here"
Bearer only. PlutoPay does not support HTTP Basic auth (
-u "sk_test_...:"). Always use theAuthorization: Bearerheader.
#Key lifecycle
A secret key is shown once, at creation. It is stored only as a hash and can never be retrieved again — copy it immediately into your secrets manager.
- Rotate — Roll a key in the Dashboard to mint a replacement (shown once), optionally with a 24-hour grace window during which the old key keeps working.
- Revoke — invalidates a key immediately.
- Expire — keys may carry an
expires_at; expired keys are rejected.
Missing, invalid, revoked, or expired keys return 401. A well-formed key whose merchant account is inactive returns 403. Both use the canonical error envelope.
#Test vs live mode
Every key is bound to a mode:
- Test keys (
sk_test_…,pk_test_…) run against Stripe test infrastructure. No real money moves. Use test cards. - Live keys (
sk_live_…) move real money.
Test and live ride the same endpoints — only the key differs. Objects created with a test key are flagged is_test: true and are fully isolated from live data.
Next: Choosing an integration · Errors