Skip to main content
Requests to KulmiPay are authenticated with API keys. KulmiPay provides two key types:
  • Public / publishable key: prefixed with ISPubKey_
  • Secret key: prefixed with ISSecretKey_
Keys are tied to an environment. Test keys include test and must be used with sandbox endpoints. Live keys include live and must be used with live endpoints.
Never expose your secret key in frontend code, mobile apps, public repositories, logs, or browser requests. Use it only from your backend.

How to get API keys

Create or view your API keys in the KulmiPay dashboard under API Applications. Your public key is used for browser-safe checkout and collection flows. Your secret key is used for protected server-to-server operations such as wallets, disbursements, payment sessions, webhooks management, and other account-level API calls. Only generate and use a secret key when your integration needs backend access.

Public key authentication

Use your public key for checkout flows and public collection requests. You can pass it in the request body:
Or pass it as a request header:
Example checkout request:
The kulmipay browser SDK handles public key authentication for you:

Secret key authentication

Use your secret key for protected REST API requests. Send it in the Authorization header with the Bearer prefix.
Example:
In production, switch to the live base URL and a live secret key:
Secret keys do not require an OAuth token exchange. Use the key directly as the Bearer token.
The PHP SDK attaches the correct headers from the credentials you pass to init():

Choosing the right key

Common authentication errors

Keeping credentials secure

  • Store secret keys in environment variables or a secrets manager.
  • Do not commit .env files or hard-code credentials.
  • Rotate keys immediately if they are exposed.
  • Use HTTPS for all requests between your backend, frontend, and KulmiPay.
  • Use sandbox keys while testing and live keys only after you are ready to process real payments.

Next steps

Client Libraries

Install and configure the browser checkout SDK or PHP SDK.

Sandbox

Test your integration with sandbox keys before going live.