# Authentication Glomo uses a secure authentication system that employs both **Public** and **Secret** API keys. This dual-key approach enhances security and simplifies integration. ## API Keys ### Public Key - **Usage**: Intended for client-side operations, such as securely rendering checkout page. - **Security**: Safe for use in client-side code, but should still be protected from unauthorized access. ### Secret Key - **Usage**: Used for server-side API calls that perform sensitive operations, such as accessing balance, customer data, etc. - **Security**: Must be kept confidential. Do not expose it in client-side code, public repositories, or logs. ## Rotating your API Key API key rotation is a security best practice that allows you to replace an existing API key with a new one. This process helps maintain security by regularly changing access credentials. ### Rotation process - Request API Key rotation - Navgate to [API Keys](https://app.glomopay.com/api-keys-and-webhooks/api-keys) page on the dashboard. - Select the 3-dot menu for the key you want to rotate and click on the **Rotate Key**. - Select an expiration period for the old API key and click the **Rotate API Key** button. - OTP Verification - Verify the **OTP** received on your email to confirm key rotation. ### Security features - Two-step verification process using email OTP - Configurable transition period for the old key - Support for both publishable and private API keys To rotate your key programmatically, use the [Rotate API Key](/api-documentation/apis/openapi/api_key/rotateapikey) endpoint. ## Environments Glomo provides separate environments for testing and production to facilitate development: - **Test Environment**: Use test API keys to simulate transactions without processing real payments from your staging/testing environment. - **Live Environment**: Use live API keys when you're ready to accept real payments from customers from your production environment. ## Glomo API Keys Usage Guide | **Key Type** | **Environment** | **Usage Scenario** | **Where to Use** | **Notes** | | --- | --- | --- | --- | --- | | **Public Key** | **Test** | Client-side tokenization of test environment. | **Client-side** | - Safe to use in client-side code in a test environment.- Not valid for real transactions. | | **Secret Key** | **Test** | Testing server-side API calls. Simulating payment processing and other operations during development. | **Server-side** | - Must be kept confidential.- Use for testing purposes only.- Do not expose in client-side code. | | **Public Key** | **Live** | Client-side tokenization of live payment/production payments. | **Client-side** | - Ensure it's securely integrated into your application.- Avoid exposing to unauthorized users. | | **Secret Key** | **Live** | Server-side API calls for sensitive data on production environment | **Server-side** | - Must be kept confidential at all times.- Critical for live transactions.- Do not share or expose. | ### Using secret key You can access your secret key from Glomopay [dashboard](https://app.glomopay.com/api-keys-and-webhooks/api-keys). Authentication to the API is performed via `bearer auth`. Provide your API key as the bearer token as part of the `Authorization` header `-H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJlbnYiOiJ0Z..."`. All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail. Eg- ``` curl --location 'https://api.glomopay.com/api/v1/ping' \ --header 'Authorization: Bearer ' ``` You will recieve `401 Unauthorized` if you fail to provide a token or if the token is malformed or if its expired.