Manage API Keys

All accounts have four keys: a publishable key and a secret key pair for test and live mode. By default, your secret keys can be used to perform any API request without restriction. This page describes how to manage your keys in the developer section of the Speed web application.

You can create, reveal, update, roll back, or delete keys from the developer keys page.

Reveal an API key

The developer keys page on the web application hides the secret keys for both modes after the first time you access it. Use the steps mentioned below to reveal a secret key. The publishable key, however, is never hidden once it is created.

Log into the Speed web application with appropriate credentials and follow these steps:

  • Select the mode (Test or Live) for which you want to reveal the API key.
  • Open the Developer keys > Standard keys page.
  • Click the Reveal key button.
  • Save it to your system.

Secret keys can also be hidden manually using the hide button right next to the key.

Generate a secret key

You can only generate secret keys for the live mode.

Follow these steps to generate them:

  • Select the mode (Test or Live) for which you want to generate the API key.
  • Navigate to Developer keys > Standard keys.
  • Click on Add Secret Key. Upon clicking the Create Secret key button, Speed asks for the name and description of the key you want to generate.
  • After that, click the create key button to generate a key.
  • You can create a maximum of 2 secret keys for an account. If the limit is exceeded, the ability to create a secret key is disabled.

Best practices to keep them safe

Your secret API keys can be used to make any API call on your account's behalf, such as creating payments or transferring funds. Hence, you should store and protect your secret API keys as you would with any other password.

Your secret API keys are valuable information, and an unintentional leak could lead to a data breach or worse outcome. For example, someone could view your data, make changes to your account, and even transfer funds as they see fit. You cannot delete the default keys associated with your account, so use a strong security strategy.

Check out these recommendations to keep your API keys secure.

  • Share only with to those who need it.
  • Do not store your secret API keys on the client side.
  • Do not embed the credentials directly in code repositories, even if they are private.
  • Control access to your key using a password manager or secret management service like AWS Secret Manager. It will not only protect your keys, but also help you retrieve and manage the credentials of your entire team.
  • If you think your API credentials have been compromised, keep calm and simply roll your keys. To roll a secret key, see Manage API keys.
  • One common mistake is using a single secret key for everything. The proper approach is to use multiple secret keys, each designed for a specific purpose or use case. As of now, you get three keys.