Applications and Keys
Understand the client API applications, publishable keys, secret keys, browser origins, and rotation practices your integration depends on.
Applications group credentials, environments, browser origins, rate limits, and client API request history for an integration.
Application and credential management happens in Payflow. This page documents only what an integration needs to know to call the client API safely.
Application lifecycle
- Create or select an application in Payflow.
- Use sandbox keys while building and testing.
- Add allowed browser origins before using publishable keys in a browser.
- Keep secret keys in a server-side secret manager.
- Rotate keys when operators change, infrastructure changes, or exposure is suspected.
- Create live keys only after Payflow enables production use for the application.
Key types
| Key | Prefix | Where to use it | Typical client API use |
|---|---|---|---|
| Publishable sandbox | pk_test_ | Browser/mobile | Browser-safe setup calls protected by origin checks. |
| Secret sandbox | sk_test_ | Backend only | Hosted checkout, component confirmation, ACH tokenization, ACH transfers. |
| Publishable production | pk_live_ | Browser/mobile | Production browser-safe calls after live access is enabled. |
| Secret production | sk_live_ | Backend only | Production server-side payment flows. |
Store keys safely
Secret keys are server credentials. Store them in:
- A cloud secret manager.
- A deployment secret store.
- Local
.envfiles for development only.
Do not store secret keys in:
- Browser bundles.
- Mobile app binaries.
- Git history.
- Screenshots.
- Client logs.
- Analytics events.
- Customer support transcripts.
Rotate secret keys
Use a rotation process like this:
- Create a new secret in Payflow.
- Deploy the new secret to all backend services.
- Confirm new traffic is using the new suffix.
- Revoke or retire the old secret after your overlap window.
Use immediate revocation when a key may be compromised.
Configure CORS origins
Publishable keys are protected by application environment origins.
Origins must be origin-only values. Do not include a path:
Valid: https://checkout.example.com
Invalid: https://checkout.example.com/payProduction origins must use HTTPS. Sandbox may allow local loopback HTTP origins for development.
Request IDs and logs
Send a stable request ID from your backend when creating or confirming payments:
X-Request-Id: checkout-order-1001-attempt-1When debugging a client API call, collect the request ID, key suffix, environment, endpoint, HTTP status, and payflowReference when available.
Authentication
Authenticate client API requests with Bearer API keys, understand key prefixes, CORS checks, rate limits, and request IDs.
Environments
Work safely across sandbox and production using environment-specific credentials, origins, routing outcomes, provider configuration, and launch controls.