This page covers authenticating raw API requests. For a broader overview of keys, rotation, and the dashboard, see Authentication.
Authentication
How to authenticate requests to the CashSDK API with bearer tokens.
Every request to the CashSDK API must include a bearer token in the
Authorization header. Server-side calls use a secret key.
Authorization: Bearer csk_sk_...
Key types#
| Key | Prefix | Where it's used | Access |
|---|---|---|---|
| Secret key | csk_sk_… | Your backend, CLI, MCP server | Full server-side access |
| Publishable key | pk_live_… / pk_test_… | Client SDKs | Fetch offerings, start purchases |
| Setup token | csk_st_… | Onboarding & provisioning | Scoped, short-lived setup tasks |
Never embed a secret key in a mobile or web client. Client apps authenticate with a publishable key only. If a secret key leaks, rotate it immediately from Settings → API keys.
Test vs. live mode#
Publishable keys come in pk_test_… and pk_live_… variants. Test-mode keys
route to store sandbox environments and seeded data so you can drive the full
purchase flow without real charges. Secret keys operate on the environment they
were issued for. See Testing.
Example request#
curl https://api.cashsdk.com/v1/apps \
-H "Authorization: Bearer csk_sk_..."
{
"data": [
{
"id": "app_2mK4pQ",
"name": "Focus Timer",
"platform": "ios",
"bundle_id": "com.example.focustimer",
"created_at": "2026-05-02T09:14:00Z"
}
],
"has_more": false,
"next_cursor": null
}
Failed authentication#
A missing, malformed, or revoked token returns 401 Unauthorized:
{
"error": {
"code": "unauthorized",
"message": "No valid API key was provided."
}
}
Using a key without permission for a resource returns 403 Forbidden. See
Errors for the complete list.