Authentication
All API requests require authentication using your secret API key.
API Keys
Get your API keys from the Fyber Console under Developer > API Keys.
You'll receive two types of keys:
| Key Type | Prefix | Usage |
|---|---|---|
| Publishable | pk_test_... or pk_live_... | Client-side (checkout.js) |
| Secret | sk_test_... or sk_live_... | Server-side API calls |
Test vs Live Mode
| Environment | Key Prefix | Base URL |
|---|---|---|
| Test (Sandbox) | sk_test_... | https://api.sandbox.fyber.one |
| Live (Production) | sk_live_... | https://api.fyber.one |
Test mode lets you make API calls without processing real transactions. Use test cards to simulate different scenarios.
Using Your API Key
HTTP Header
Include your secret key in the Authorization header:
http
Authorization: Bearer sk_test_your_secret_keySDK Initialization
JavaScript
javascript
import { Fyber } from '@fyber.one/sdk-js';
const fyber = new Fyber({
apiKey: 'sk_test_your_secret_key',
environment: 'test',
});PHP
php
use Fyber\Fyber;
$fyber = new Fyber('sk_test_your_secret_key', [
'environment' => 'test',
]);C#
csharp
using Fyber;
var fyber = new FyberClient("sk_test_your_secret_key", new FyberClientOptions
{
Environment = "test"
});Flutter
dart
import 'package:fyber/fyber.dart';
final fyber = Fyber(
apiKey: 'sk_test_your_secret_key',
environment: 'test',
);Security Best Practices
- Never expose secret keys - Keep
sk_*keys on your server only - Use environment variables - Don't hardcode keys in source code
- Rotate compromised keys - Generate new keys immediately if exposed
- Use test keys for development - Only use live keys in production
javascript
// Good - using environment variables
const fyber = new Fyber({
apiKey: process.env.FYBER_SECRET_KEY,
});
// Bad - hardcoded key
const fyber = new Fyber({
apiKey: 'sk_live_actual_secret_key', // Don't do this!
});Rate Limits
API requests are rate limited to protect service stability:
| Limit Type | Limit |
|---|---|
| Requests per second | 100 |
| Requests per minute | 1,000 |
When rate limited, you'll receive a 429 Too Many Requests response with a Retry-After header.
javascript
try {
const payment = await fyber.payments.create({...});
} catch (error) {
if (error.code === 'rate_limit_error') {
// Wait and retry
await sleep(error.retryAfter * 1000);
}
}