🔒Authentication

All requests to the Leatherback API must be authenticated. Authentication identifies which merchant integration a request belongs to and determines if it is authorized to perform the requested action.

Leatherback utilizes API Keys to authenticate requests. Every request must include your Secret Key in the Authorization header, using the Bearer scheme.


The Authentication Header

To authenticate, include your Secret Key in the header of every API request.

  • Header Key: X-Api
  • Header Value: YOUR_SECRET_KEY

Security Note: All API requests must be made over HTTPS. Calls made over plain HTTP or without valid authentication will fail with a 401 Unauthorized status code.


API Keys & Environments

Leatherback provides two environments to help you build and test safely before going live. Each environment uses a different secret key.

Test Environment : Use your test secret key (sk_test_...) to simulate transactions. No real money is moved in this environment, making it safe for development and testing.

Live Environment : Use your live secret key (sk_live_...) when you are ready to process real transactions in production.


Managing Your Keys

You can view, generate, and manage your keys within the Fusion Dashboard.

  • Key Rotation: It is a best practice to rotate your keys periodically to enhance security.
  • Access Control: If you suspect a key has been compromised, deactivate it immediately and generate a new one via the dashboard.

Security Best Practices

Because Secret Keys allow for the movement of funds and access to sensitive financial data, they must be handled with extreme care:

  1. Server-Side Only: Never embed Secret Keys in client-side code (JavaScript, HTML) or mobile applications.
  2. Environment Variables: Store keys securely in environment variables or a secrets management vault.
  3. No Public Exposure: Do not commit keys to public repositories (e.g., GitHub). If a key is accidentally committed, revoke it immediately.