Authentication
API key types, scopes, security best practices, and how to authenticate requests to the Elebne Developer API.
Authentication
Every request to the Elebne Developer API must include a valid API key. This page covers key types, how to pass them, the scope system, and security best practices.
API key types
| Key | Prefix | Permission | Usage |
|---|---|---|---|
| Publishable Test | pk_test_ | Read only | Client-safe, sandbox queries |
| Secret Test | sk_test_ | Read + Write | Server-side, sandbox mutations |
| Publishable Live | pk_live_ | Read only | Client-safe, production queries |
| Secret Live | sk_live_ | Read + Write | Server-side, production mutations |
- Publishable keys (
pk_) can only read data. They are safe to include in client-side code. - Secret keys (
sk_) can read and write. They must only be used on your server. - Test keys operate in sandbox mode — no real money is moved.
- Live keys operate in production — real transactions with real funds.
Authorization header
Pass your API key in the Authorization header as a Bearer token:
Authorization: Bearer sk_test_YOUR_KEYRequests without a valid key return 401 Unauthorized.
Scopes
API keys are assigned granular scopes that control which endpoints they can access. Scopes are grouped by surface area.
Pay scopes
| Scope | Description | Requires secret key |
|---|---|---|
pay.intents:read | List and retrieve payment intents | No |
pay.intents:write | Create, update, cancel, and refund payment intents | Yes |
Store scopes
| Scope | Description | Requires secret key |
|---|---|---|
store.products:read | List and retrieve products | No |
store.products:write | Create, update, and delete products | Yes |
store.orders:read | List and retrieve orders | No |
store.orders:write | Update order status, fulfill orders | Yes |
store.inventory:read | Read inventory levels | No |
store.inventory:write | Update stock quantities | Yes |
store.import:write | Import products via CSV | Yes |
Enterprise scopes
| Scope | Description | Requires secret key |
|---|---|---|
enterprise.transfers:read | List and retrieve transfers | No |
enterprise.transfers:write | Create transfers | Yes |
enterprise.bulk:write | Create bulk transfers | Yes |
enterprise.bills:write | Pay bills | Yes |
enterprise.ledger:read | Read ledger entries | No |
Webhook scopes
| Scope | Description | Requires secret key |
|---|---|---|
webhooks.endpoints:read | List webhook endpoints | No |
webhooks.endpoints:manage | Create, update, and delete endpoints | Yes |
webhooks.deliveries:read | List webhook event deliveries | No |
webhooks.deliveries:retry | Retry failed deliveries | Yes |
IP allowlist
For additional security, you can restrict API access to specific IP addresses:
- Open the Elebne mobile app, go to Commerce > Developer.
- Under IP Allowlist, add your server's IP addresses.
- Requests from unlisted IPs will be rejected with
403 Forbidden.
Optional in sandbox
IP allowlists are optional but strongly recommended for production keys.
Key rotation
You can rotate your API keys at any time:
- Go to Commerce > Developer in the Elebne mobile app.
- Tap Rotate next to the key you want to replace.
- A new key is generated immediately. The old key is invalidated.
Rotation is immediate
Once you rotate a key, the old key stops working instantly. Update your integration before rotating.
Security best practices
- Never expose secret keys in client-side code. Use
pk_keys for browser and mobile apps; keepsk_keys on your server only. - Rotate keys regularly. If a key may have been compromised, rotate it immediately.
- Use IP allowlists in production. Restrict live keys to your server IPs.
- Use the minimum required scopes. Request only the scopes your integration needs.
- Store keys in environment variables. Never commit keys to version control.
- Use HTTPS only. The API rejects plain HTTP requests.
Next steps
- Sandbox — Test your integration without real money
- Common Patterns — Required headers, amounts, pagination
- Webhooks — Verify webhook signatures
Was this page helpful?