Technical Guides
Authentication
Learn how the API ensures secure access
API keys are used to authenticate requests, typically provided as an
Each mode is associated with a unique pair of API keys — a Secret Key and a Public Key — resulting in a total of four keys per account.
The API key will be either a secret key or a public key, as described below:
To keep your account safe, we recommend you:
New keys can be requested from the customer success team as needed.
Authorization header.
Your keys are used to identify the account on our platform, and carries many privileges, so be sure to keep them secure!
Do not share your secret API keys in publicly accessible areas such as public source code repositories, client-side code, and so forth.
All API requests must be made over HTTPS. Calls made over plain HTTP will fail.
API requests:
- without authentication will return an unauthorized error
- without a valid key will return an invalid request error
- with a deleted or expired key will return a forbidden error
Operating Modes
The Moment APIs support two modes of operation: Test Mode and Live Mode.Each mode is associated with a unique pair of API keys — a Secret Key and a Public Key — resulting in a total of four keys per account.
- Live Mode – In this mode, real funds are transferred. Use it only in production environments.
- Test Mode – No actual funds are transferred in this mode. It is intended solely for development, testing, and integration purposes.
| Test Mode | Live Mode | |
|---|---|---|
| Prefixes | sk_test_*********************, pk_test_********************* | sk_*********************, pk_********************* |
| Purpose | Used for integration and testing | Used for live API requests in production |
API Keys
Every API request must include theAuthorization header with your API key as a bearer token:
The API key will be either a secret key or a public key, as described below:
| Secret Key | Public Key | |
|---|---|---|
| Format | sk_********************* | pk_********************* |
| Purpose | Intended for server-side interactions. | Intended for client-side interactions. |
| Scope | Provides full access to the API, including the ability to create, read, update, and delete resources. | Limited access for operations that do not expose sensitive data or require elevated permissions (e.g., creating payment sessions). |
| Security | Keep this key private, use it for server-to-server API calls, and do not expose it in client-side applications like web browsers or mobile apps. | Safe for use in client-side applications but should still be restricted to specific operations. |
| Example | sk_vYZCAeHawUqDCmVpEKh2U | pk_WeHsNn87r4gtNc5BQT9Mj |
To keep your account safe, we recommend you:
- Rotate keys regularly to enhance security.
- Revoke compromised keys immediately.
New keys can be requested from the customer success team as needed.