Authentication

How to authenticate requests to the CashSDK API with bearer tokens.

Every request to the CashSDK API must include a bearer token in the Authorization header. Server-side calls use a secret key.

bash
Authorization: Bearer csk_sk_...

Key types#

KeyPrefixWhere it's usedAccess
Secret keycsk_sk_…Your backend, CLI, MCP serverFull server-side access
Publishable keypk_live_… / pk_test_…Client SDKsFetch offerings, start purchases
Setup tokencsk_st_…Onboarding & provisioningScoped, short-lived setup tasks

Never embed a secret key in a mobile or web client. Client apps authenticate with a publishable key only. If a secret key leaks, rotate it immediately from Settings → API keys.

Test vs. live mode#

Publishable keys come in pk_test_… and pk_live_… variants. Test-mode keys route to store sandbox environments and seeded data so you can drive the full purchase flow without real charges. Secret keys operate on the environment they were issued for. See Testing.

Example request#

bash
curl https://api.cashsdk.com/v1/apps \
  -H "Authorization: Bearer csk_sk_..."
json
{
  "data": [
    {
      "id": "app_2mK4pQ",
      "name": "Focus Timer",
      "platform": "ios",
      "bundle_id": "com.example.focustimer",
      "created_at": "2026-05-02T09:14:00Z"
    }
  ],
  "has_more": false,
  "next_cursor": null
}

Failed authentication#

A missing, malformed, or revoked token returns 401 Unauthorized:

json
{
  "error": {
    "code": "unauthorized",
    "message": "No valid API key was provided."
  }
}

Using a key without permission for a resource returns 403 Forbidden. See Errors for the complete list.

Next steps#