This page explains how to authenticate with the Ravelin API.

On this page:

Ravelin uses API keys and token authentication to allow access to our API.

Your API keys can be found under the API Keys tab in the Developer section of the dashboard.

All API requests should also be made using HTTPS.

Secret API Keys

Your Secret API Keys should be used when sending requests to and will either have the prefix sk_ or secret_key_.

You should include your Secret API Key in the Authorization header of all requests to in the format: Authorization: token sk_live_your_secret_key.

For example:

$ curl "" \
    -H "Authorization: token sk_live_your_secret_key" \
    -X POST

Publishable API Keys

Publishable Keys are safe to publish on your website front-end and safe to appear in your logs. In this respect they are conceptually comparable to public keys in asymmetric cryptography.

Ravelin’s Publishable Keys have a highly constrained role and scope and will be accepted only by specific API endpoints, for example to create session-tracking events.

The use of Ravelin’s client-side card encryption alongside publishable keys allows merchants to minimise their PCI exposure by ensuring card details are fully encrypted before being passed out of the client-side browser or app environment scope into their backend environment scope.

Your Publishable API Keys (and, if provided, your Public RSA Keys) should be used by the ravelinjs JavaScript SDK, the iOS SDK, or the Android SDK.

To aid with identification, Publishable API Keys will always have the prefix pk_ or publishable_key_.

Sandbox API Keys

You have both live and sandbox API keys.

Keys for use with your sandbox account include the term _test_, while keys for use with your live account include the term _live_.

Your sandbox keys can be accessed in the same API Keys tab in the Developer section of the dashboard, when you’ve switched to your sandbox account from the account menu.

Requesting new API keys

You can request new API keys by contacting your account manager.