> ## Documentation Index > Fetch the complete documentation index at: https://docs.momentco.io/llms.txt > Use this file to discover all available pages before exploring further. # Authentication > Learn how the API ensures secure access API keys are used to authenticate requests, typically provided as an `Authorization` header. Your keys are used to identify the account on our platform, and carries many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as public source code repositories, client-side code, and so forth. All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests: * without authentication will return an unauthorized error * without a valid key will return an invalid request error * with a deleted or expired key will return a forbidden error #### Operating Modes The Moment APIs support two modes of operation: **Test Mode** and **Live Mode**.\ Each mode is associated with a unique pair of API keys — a **Secret Key** and a **Public Key** — resulting in a total of four keys per account. 1. **Live Mode** – In this mode, real funds are transferred. Use it only in production environments. 2. **Test Mode** – No actual funds are transferred in this mode. It is intended solely for development, testing, and integration purposes. | | Test Mode | Live Mode | | ------------ | ---------------------------------------------------------------- | ------------------------------------------------------ | | **Prefixes** | `sk_test_*********************`, `pk_test_*********************` | `sk_*********************`, `pk_*********************` | | **Purpose** | Used for integration and testing | Used for live API requests in production | #### API Keys Every API request must include the `Authorization` header with your API key as a bearer token: ```http theme={"system"} Authorization: Bearer ```
The API key will be either a **secret key** or a **public key**, as described below: | | Secret Key | Public Key | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | | **Format** | sk\_\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* | pk\_\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* | | **Purpose** | Intended for **server-side interactions**. | Intended for **client-side interactions**. | | **Scope** | Provides full access to the API, including the ability to create, read, update, and delete resources. | Limited access for operations that do not expose sensitive data or require elevated permissions (e.g., creating payment sessions). | | **Security** | Keep this key private, use it for server-to-server API calls, and do not expose it in client-side applications like web browsers or mobile apps. | Safe for use in client-side applications but should still be restricted to specific operations. | | **Example** | sk\_vYZCAeHawUqDCmVpEKh2U | pk\_WeHsNn87r4gtNc5BQT9Mj |
To keep your account safe, we recommend you: * Rotate keys regularly to enhance security. * Revoke compromised keys immediately.
New keys can be requested from the [customer success](/documentation/support) team as needed.