Authentication

Learn how to authenticate your API requests using API keys and bearer tokens.

All API requests must be authenticated (unless stated otherwise). Requests without valid authentication will return a 401 Unauthorized error.

API Keys

Use API keys to authenticate your requests. Keep your keys secure and never expose them in client-side code.

Bearer Token

Include your API key in the Authorization header as a Bearer token for secure authentication.

API Key Format

Your API keys follow a specific format to help identify their type and environment.

Key Types

sk_test_

Test Secret Key

Used for testing and development

sk_live_

Live Secret Key

Used for production environments

pk_test_

Test Publishable Key

Safe to use in client-side code for testing

Example Keys

Test Secret Key:

sk_test_4eC39HqLyjWDarjtT1zdp7dc

Live Secret Key:

sk_live_4eC39HqLyjWDarjtT1zdp7dc

Making Authenticated Requests

Include your API key in the Authorization header of your HTTP requests.

bash

curl https://pollenpay.com/api/v1/users \
  -H "Authorization: Bearer sk_test_4eC39HqLyjWDarjtT1zdp7dc" \
  -H "Content-Type: application/json"

Best Practices

Store API keys securely using environment variables
Use test keys during development and testing
Rotate your API keys regularly
Monitor API key usage and set up alerts
Use HTTPS for all API requests

Security Warnings

Never expose secret keys in client-side code
Don't commit API keys to version control
Avoid logging API keys in application logs
Revoke compromised keys immediately
Don't share keys via email or messaging

Error Responses

Common authentication errors and how to resolve them.

401

Unauthorized

The API key is missing, invalid, or has been revoked.

json

{
  "error": {
    "type": "authentication_error",
    "message": "Invalid API key provided",
    "code": "invalid_api_key"
  }
}

403

Forbidden

The API key doesn't have permission to perform this action.

json

{
  "error": {
    "type": "permission_error",
    "message": "Insufficient permissions for this operation",
    "code": "insufficient_permissions"
  }
}

429

Rate Limited

Too many requests have been made with this API key.

json

{
  "error": {
    "type": "rate_limit_error",
    "message": "Rate limit exceeded. Try again in 60 seconds",
    "code": "rate_limit_exceeded"
  }
}

Environment Variables

Securely store your API keys using environment variables in different environments.

Store your API keys in a .env file (never commit this to version control):

bash

# .env.local
POLLEN_PAY_API_SECRET_KEY=sk_test_4eC39HqLyjWDarjtT1zdp7dc
POLLEN_PAY_API_PUBLISHABLE_KEY=pk_test_4eC39HqLyjWDarjtT1zdp7dc

# Production
POLLEN_PAY_API_SECRET_KEY=sk_live_4eC39HqLyjWDarjtT1zdp7dc
POLLEN_PAY_API_PUBLISHABLE_KEY=pk_live_4eC39HqLyjWDarjtT1zdp7dc