Authentication
title: "Authentication" description: "Authenticate every BchainPay API request with a bearer token. Rotate keys without downtime." section: "Get started" order: 3 updated: "2026-04-18" sourcePath: "content/docs/authentication.mdx"
BchainPay uses bearer API keys. Send your secret key in the Authorization header on every request. There are no signed requests at the API edge — webhooks are signed in the other direction (see Verify a webhook).
curl https://api.bchainpay.com/v1/pockets \
-H "Authorization: Bearer $BCHAINPAY_API_KEY"Key types
| Prefix | Environment | Scope |
|---|---|---|
sk_live_… | Production | Full read/write on the live merchant. |
sk_sb_… | Sandbox | Full read/write on the sandbox merchant. |
pk_live_… | Production | Public, client-side. Read-only. |
Rotating keys
- Create a new secret key in the dashboard.
- Deploy it to your servers alongside the old one.
- Cut traffic over to the new key.
- Revoke the old key from the dashboard.
Revocations take effect within 5 seconds globally.
Errors
| Status | Code | Meaning |
|---|---|---|
401 | invalid_api_key | Key is missing, malformed, or revoked. |
403 | forbidden_scope | Key lacks the required permissions. |
429 | rate_limited | Per-key rate limit exceeded. Back off. |