Authentication

API keys, token types, and how to authenticate requests to CashSDK.

CashSDK authenticates every request with a bearer token in the Authorization header.

bash
Authorization: Bearer csk_sk_...

Token types#

Publishable keypk_live_… / pk_test_…

Safe to embed in client apps. Used by the SDKs to fetch offerings and start purchases. Cannot read customer data or perform privileged operations.

Secret keycsk_sk_…

Full server-side access. Used by your backend, the CLI, and the MCP server. Never ship a secret key in a client app.

Setup tokencsk_st_…

A scoped, short-lived token for onboarding and provisioning flows. Accepted by the MCP server and CLI for setup tasks.

Treat secret keys like passwords. If one leaks, rotate it immediately from Settings → API keys or with cashsdk / the rotate_api_key MCP tool.

Test vs. live mode#

Publishable keys come in pk_test_… and pk_live_… variants. Test mode uses store sandbox environments and seeded data so you can exercise the full purchase flow without real charges. See Testing.

Base URLs#

bash
https://api.cashsdk.com

All endpoints are versioned under /v1.

Example request#

bash
curl https://api.cashsdk.com/v1/apps \
  -H "Authorization: Bearer csk_sk_..."

A missing or invalid token returns 401 Unauthorized. See Errors for the full list.