| Credential | Prefix | Where it lives | Used for |
|---|---|---|---|
| Publishable key | sf_test_pk_ / sf_live_pk_ | Browser (safe to expose) | Identifies your account to the widget |
| Secret key | sf_test_sk_ / sf_live_sk_ | Your backend only | Server-to-server API calls |
| Webhook signing secret | sf_test_whsec_ / sf_live_whsec_ | Your backend only | Verifying webhook signatures |
Authenticating API requests
Send the secret key as a bearer token:401 Unauthorized. The secret key is scoped
to the integration surface (payment sessions); it cannot read or change
dashboard configuration such as rules, connections, or keys.
Handling secrets
- Secret and webhook keys are shown once at generation — only a hash is stored server-side, so they cannot be retrieved again. Store them in your secret manager immediately.
- Regenerating a key revokes the previous one immediately and is audit-logged.
- Never embed the secret key in browser code, mobile apps, or version control. The publishable key is the only credential designed to be public.
Widget calls
The widget authenticates its one API call (payment submission) with the session’sclientSecret, not with any of your keys — the client secret is
single-session, expiring, and returned only to your backend at session
creation. You pass it to the page yourself, which is why payment sessions
must always be created server-side.