Casharc authenticates API requests using a public/secret key pair issued per project. Every request must include both keys as headers, and must originate from an allow-listed IP address.
Create an API key in your project settings. On creation you receive:
Public key — identifies your project. Safe to store on your side.
Secret key — authenticates the request. Shown only once, at creation time, and never stored by Casharc in plain text. If you lose it, rotate the key and update your integration.
Keep your secret key server-side. Never expose it in client-side code or commit it to source control.
Each API key is restricted to a set of allow-listed IP addresses. Requests from any other address are rejected, even with valid keys. Add the IP addresses of your servers to the key's allow-list in your project settings.
Each API key carries a set of permissions that control which endpoints it may call (for example, creating payments versus only reading them). Grant a key the minimum permissions its integration needs.