Safe to embed in client apps. Used by the SDKs to fetch offerings and start purchases. Cannot read customer data or perform privileged operations.
Authentication
API keys, token types, and how to authenticate requests to CashSDK.
CashSDK authenticates every request with a bearer token in the Authorization
header.
Authorization: Bearer csk_sk_...
Token types#
Publishable keypk_live_… / pk_test_…Secret keycsk_sk_…Full server-side access. Used by your backend, the CLI, and the MCP server. Never ship a secret key in a client app.
Setup tokencsk_st_…A scoped, short-lived token for onboarding and provisioning flows. Accepted by the MCP server and CLI for setup tasks.
Treat secret keys like passwords. If one leaks, rotate it immediately from
Settings → API keys or with cashsdk /
the rotate_api_key MCP tool.
Test vs. live mode#
Publishable keys come in pk_test_… and pk_live_… variants. Test mode uses
store sandbox environments and seeded data so you can exercise the full purchase
flow without real charges. See Testing.
Base URLs#
https://api.cashsdk.com
All endpoints are versioned under /v1.
Example request#
curl https://api.cashsdk.com/v1/apps \
-H "Authorization: Bearer csk_sk_..."
A missing or invalid token returns 401 Unauthorized. See
Errors for the full list.