Xendit authenticates your API requests using your account's API keys. If you do not include your key when making an API request, or use one that is incorrect or deleted, Xendit returns an error.
Every account is provided with separate keys for testing and for running live transactions. All API requests exist in either test or live mode.
Secret vs Public API Key
- Secret API key: Secret key can perform any API request to Xendit on behalf of your account. Your secret keys should be kept confidential and only stored on your own servers.
Each account has a total of two keys after registration process: a pair of public key for test and live mode. You'll have zero secret key when you start. This default setup is to prevent secret key being compromised for customers who are not integrating with Xendit using API. You can create or delete key according to your needs in Dashboard.
Note: Use only your test API keys for testing or development. This ensures that you don't accidentally create or modify live transactions
API Key Permissions
Each API key has permission of a product that you can configure. There are three types of API key permission
None: No product access granted, meaning you forbid your API key to perform any action.
Read: Granting the ability to read-only access or fetch data using API of a specific product. You'll grant Read access if you only need to, for example, get your account balance or get payment detail.
Write: Granting the ability to read and write data using API. You'll grant Write access if you want to read or perform action ie create Invoice, create Disbursement, get VA, etc
Generate API Keys
Generate API key easily by visiting API keys settings in Xendit Dashboard