Your Integration Kit (dashboard → Integration Kit) issues three credentials per environment:
CredentialPrefixWhere it livesUsed for
Publishable keysf_test_pk_ / sf_live_pk_Browser (safe to expose)Identifies your account to the widget
Secret keysf_test_sk_ / sf_live_sk_Your backend onlyServer-to-server API calls
Webhook signing secretsf_test_whsec_ / sf_live_whsec_Your backend onlyVerifying webhook signatures

Authenticating API requests

Send the secret key as a bearer token:
curl https://api.switchflows.net/api/v1/payment-sessions \
  -H "Authorization: Bearer sf_test_sk_..."
A missing or invalid key returns 401 Unauthorized. The secret key is scoped to the integration surface (payment sessions); it cannot read or change dashboard configuration such as rules, connections, or keys.

Handling secrets

  • Secret and webhook keys are shown once at generation — only a hash is stored server-side, so they cannot be retrieved again. Store them in your secret manager immediately.
  • Regenerating a key revokes the previous one immediately and is audit-logged.
  • Never embed the secret key in browser code, mobile apps, or version control. The publishable key is the only credential designed to be public.

Widget calls

The widget authenticates its one API call (payment submission) with the session’s clientSecret, not with any of your keys — the client secret is single-session, expiring, and returned only to your backend at session creation. You pass it to the page yourself, which is why payment sessions must always be created server-side.