Credential Types
| Type | Header | Who uses it | Format |
|---|---|---|---|
| Public Key | x-public-key or ?publicKey= | Browser / React SDK | pk_live_... |
| API Key (Secret) | Authorization: Bearer | Your backend server | sk_live_... |
| Service Key | x-service-key | Ecom portal / internal services | env var |
Which Key Should I Use?
I'm calling from the browser (React SDK)
I'm calling from the browser (React SDK)
Use your Public Key. It’s safe to expose in frontend code. It can only read data and initiate checkout — it cannot modify subscriptions.
I'm calling from my backend server
I'm calling from my backend server
Use your Secret Key (API Key) in the
Authorization header. Keep this server-side only — never expose it in client code.I'm the Crovver ecom portal
I'm the Crovver ecom portal
Use the Service Key with an
orgId query param. This is an internal credential for server-to-server calls between Crovver services.Test vs Live Keys
Both public and secret keys come in test and live variants:| Prefix | Environment |
|---|---|
pk_live_, sk_live_ | Production — real payments |
pk_test_, sk_test_ | Test — routed to test payment credentials |
Test keys route to payment providers configured with test credentials. Use Stripe test card
4242 4242 4242 4242 to simulate successful payments.