Glomo uses a secure authentication system that employs both Public and Secret API keys. This dual-key approach enhances security and simplifies integration.
- Usage: Intended for client-side operations, such as securely rendering checkout page.
- Security: Safe for use in client-side code, but should still be protected from unauthorized access.
- Usage: Used for server-side API calls that perform sensitive operations, such as accessing balance, customer data, etc.
- Security: Must be kept confidential. Do not expose it in client-side code, public repositories, or logs.
API key rotation is a security best practice that allows you to replace an existing API key with a new one. This process helps maintain security by regularly changing access credentials.
- Request API Key rotation
- Navgate to API Keys page on the dashboard.
- Select the 3-dot menu for the key you want to rotate and click on the Rotate Key.
- Select an expiration period for the old API key and click the Rotate API Key button.
- OTP Verification
- Verify the OTP received on your email to confirm key rotation.
- Two-step verification process using email OTP
- Configurable transition period for the old key
- Support for both publishable and private API keys
Glomo provides separate environments for testing and production to facilitate development:
- Test Environment: Use test API keys to simulate transactions without processing real payments from your staging/testing environment.
- Live Environment: Use live API keys when you're ready to accept real payments from customers from your production environment.
| Key Type | Environment | Usage Scenario | Where to Use | Notes |
|---|---|---|---|---|
| Public Key | Test | Client-side tokenization of test environment. | Client-side | - Safe to use in client-side code in a test environment. - Not valid for real transactions. |
| Secret Key | Test | Testing server-side API calls. Simulating payment processing and other operations during development. | Server-side | - Must be kept confidential. - Use for testing purposes only. - Do not expose in client-side code. |
| Public Key | Live | Client-side tokenization of live payment/production payments. | Client-side | - Ensure it's securely integrated into your application. - Avoid exposing to unauthorized users. |
| Secret Key | Live | Server-side API calls for sensitive data on production environment | Server-side | - Must be kept confidential at all times. - Critical for live transactions. - Do not share or expose. |
You can access your secret key from Glomopay dashboard. Authentication to the API is performed via bearer auth. Provide your API key as the bearer token as part of the Authorization header -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJlbnYiOiJ0Z...".
All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.
Eg-
curl --location 'https://api.glomopay.com/api/v1/ping' \
--header 'Authorization: Bearer <your_secret_key>'You will recieve 401 Unauthorized if you fail to provide a token or if the token is malformed or if its expired.