Authentication
Authenticate server-to-server API calls by sending your secret key in the x-api-key header.
Kyshi provides separate test and live keys. Test secret keys use the sk_test_ prefix and live secret keys use the sk_live_ prefix. Keep secret keys on your server only; never expose them in client-side code or commit them to source control.
-H "x-api-key: sk_test_xxxxxxxxxxxxxxxxxxxxx"curl https://api.kyshi.co/v1/transactions/history \
-H "x-api-key: sk_test_xxxxxxxxxxxxxxxxxxxxx"Test And Live Modes
The API resolves request mode from the key you use:
| Key Prefix | Mode |
|---|---|
sk_test_ | Test mode |
sk_live_ | Live mode |
Requests without a valid key return 401 Unauthorized.
Keep Keys Server-Side
Never expose secret keys in browser JavaScript, mobile apps, public repositories, or customer-facing logs. Your frontend should call your backend, and your backend should call Kyshi.
Public Reference Endpoints
Most integrator endpoints require x-api-key. A few public lookup or checkout endpoints do not require a key, and those are marked without authentication in the API Reference.
Updated 19 days ago