Skip to main content

API Keys

Xendit authenticates your API requests using your account's API keys. If you do not include your key when making an API request, or use one that is incorrect or deleted, Xendit returns an error.

Every account is provided with separate keys for testing and for running live transactions. All API requests exist in either test or live mode.

Secret vs Public API Key

  • Secret API key: Secret key can perform any API request to Xendit on behalf of your account. Your secret keys should be kept confidential and only stored on your own servers.
  • Public API key: Public key are meant to identify your account with Xendit. In other words, they can safely be published in places like your Xendit.js javascript code or in an Android or iPhone app. Public key only have the power to create tokens and authenticate for Cards.

Each account has a total of two keys after registration process: a pair of public key for test and live mode. You'll have zero secret key when you start. This default setup is to prevent secret key being compromised for customers who are not integrating with Xendit using API. You can create or delete key according to your needs in Dashboard.


Note: Use only your test API keys for testing or development. This ensures that you don't accidentally create or modify live transactions

API Key Permissions

Each API key has permission of a product that you can configure. There are three types of API key permission

  • None: No product access granted, meaning you forbid your API key to perform any action.
  • Read: Granting the ability to read-only access or fetch data using API of a specific product. You'll grant Read access if you only need to, for example, get your account balance or get payment detail.
  • Write: Granting the ability to read and write data using API. You'll grant Write access if you want to read or perform action ie create Invoice, create Disbursement, get VA, etc

Generate API Keys

Generate API key easily by visiting API keys settings in Xendit Dashboard