Qordoba authenticates your API requests using your account’s API keys. If you do not include your key when making an API request, or use one that is incorrect or outdated, Qordoba returns an error.
Every account is provided with separate keys. All API requests exist in either test or live mode, one mode cannot be manipulated by objects in the other.
Secret API keys should be kept confidential and only stored on your own servers. Your account’s secret API key can perform any API request to Qordoba without restriction.
Each account has a total of limit keys.
Your API keys are available in the Account setting => Developer Integrations. We include randomly generated API keys in our code examples if you are not logged in. Replace these with your own or log in to see code examples populated with your own test API keys.
If you cannot see your API keys in the Developer Integrations, this means you do not have access to them. Contact your Qordoba account’s owner and ask to be added to their team as a developer.
Your secret API key can be used to make any API call on behalf of your account, such as creating charges or content. You should only grant access to your API keys to those that need them. Ensure they are kept out of any version control system that you may be using.
Your account’s secret API keys can be used to perform any API request without restriction. For greater security, you can create restricted API keys that limit access to, and permissions for, different areas of your account data. These take the place of your secret API key and should be used if you’re working with microservices that interact with the Qordoba API on your behalf.
A restricted key allows only the minimum level of access that the service needs while protecting account data it doesn’t need. For example, you can create a restricted key that grants read-only access to dispute data, then use it with a dispute monitoring service.