Environments & API keys
Learn how Tokeflow encodes environments and scope into your API keys, and how to create, rotate, and store them securely.
Every request to Tokeflow is authenticated with an API key, and every key carries its own context: which environment it targets, whether it is safe to expose in a browser, and which entity it acts on behalf of. Understanding how that context is encoded lets you wire up integrations correctly the first time.
This page covers the base URL and versioning, how environments are represented, the four key forms, and the key lifecycle (create, rotate, revoke) you manage in the Tokeflow Dashboard.
New to authenticating requests? Start with Authentication for header formats and worked examples, then come back here for environment and lifecycle details.
Base URL and versioning
All API traffic goes to a single host, and every endpoint lives under a version prefix.
https://api.tokeflow.com/api/v1Tokeflow uses URI versioning. The current version is v1, and it appears in the path of every endpoint:
curl https://api.tokeflow.com/api/v1/transactions \
-H "Authorization: Bearer sk_live_mer_xxxxxxxx"There is no separate hostname for testing. The environment you operate in is a property of the key you send, not the URL. The same base URL serves every environment — Tokeflow resolves the environment from the key on each request.
Pin your integration to v1 explicitly. When a future major version ships, it will be served under a new path prefix so your existing calls keep working unchanged.
How environments are encoded
Tokeflow keys are self-describing. Each key follows a fixed anatomy, and one of its segments names the environment the key is bound to:
{sk|pk}_{environment}_{org|mer}_{random}
│ │ │ │
│ │ │ └─ random, high-entropy secret
│ │ └─ scope: organization (org) or merchant (mer)
│ └─ environment the key is bound to
└─ key type: sk = secret (server-side), pk = public (client-safe)A live secret merchant key, for example, looks like this:
sk_live_mer_9f2c4a7b1e8d3c5a6b0f2e1d4c7a9b3eReading left to right:
| Segment | Example | Meaning |
|---|---|---|
| Key type | sk | sk = secret (server-side only); pk = public (client-safe) |
| Environment | live | The environment this key targets |
| Scope | mer | org = Organization-wide; mer = a single Merchant |
| Random | 9f2c… | The high-entropy secret portion |
You can identify any key at a glance without calling the API. If a value starts with sk_, it is a secret and must stay server-side. If the environment segment does not match the environment you intended to call, you are using the wrong key.
Because the environment is baked into the key:
- Keys are not portable across environments. A key issued for one environment will not authenticate against another.
- You never switch hosts or versions to change environments — you switch keys.
- Each environment keeps its own isolated set of keys, data, and configuration. Activity performed with one environment's key never touches another's.
Secret vs. public keys
The first segment, sk or pk, is the single most important thing to get right.
- Secret keys (
sk_…) authenticate server-to-server calls. They can perform privileged actions and must never appear in browser code, mobile apps, public repositories, logs, or anywhere a third party could read them. - Public keys (
pk_…) are restricted to a small set of client-safe scopes and are designed to be embedded in browser or client code. They cannot perform privileged server actions.
Treat a secret key like a password. If a secret key is ever committed to source control, pasted into a ticket, or shipped to a client, consider it compromised and rotate it immediately (see Rotate on exposure).
Server-side requests authenticate with the standard header:
Authorization: Bearer sk_live_mer_xxxxxxxxPublic keys are used by Tokeflow's client SDK rather than passed on the Authorization header directly. See the SDK overview for how pk_… keys are presented in browser contexts.
Organization vs. Merchant scope
The third segment, org or mer, determines which entity the key acts on behalf of. Tokeflow is multi-tenant: an Organization can contain many Merchants.
- A Merchant key is automatically scoped to its merchant. The merchant is inferred from the key, so you never pass a
merchant_id. - An Organization key spans every merchant in the org. For merchant-scoped resources, it must identify the target merchant explicitly — via the
merchant_idquery parameter on list/get requests, or themerchant_idbody field on create requests.
# Organization key: target a specific merchant with merchant_id
curl "https://api.tokeflow.com/api/v1/transactions?merchant_id=mrc_a1b2c3" \
-H "Authorization: Bearer sk_live_org_xxxxxxxx"# Merchant key: merchant is inferred, no merchant_id needed
curl "https://api.tokeflow.com/api/v1/transactions" \
-H "Authorization: Bearer sk_live_mer_xxxxxxxx"Beyond entity scope, each key also carries permission scopes in resource:action form (for example transactions:read, products:write). A key can only perform actions its scopes allow. See Authentication for the full scope model.
The four key forms
Combining key type (sk/pk) with entity scope (org/mer) gives four distinct key forms. Choose the narrowest one that still does the job.
| Key form | Prefix | Where it runs | Typical use |
|---|---|---|---|
| Secret · Organization | sk_live_org_… | Server-side only | Org-level automation across many merchants; pass merchant_id for merchant-scoped resources |
| Secret · Merchant | sk_live_mer_… | Server-side only | A single merchant's backend; merchant inferred, no merchant_id |
| Public · Organization | pk_live_org_… | Client-safe (browser) | Org-wide client-side flows in client-safe scopes |
| Public · Merchant | pk_live_mer_… | Client-safe (browser) | A single merchant's client-side flows (e.g. checkout) in client-safe scopes |
Prefer Merchant keys for per-merchant integrations and reserve Organization keys for genuinely cross-merchant automation. A merchant key cannot reach another merchant's data, which keeps blast radius small if it leaks.
Key lifecycle
You create, rotate, and revoke keys in the Tokeflow Dashboard during onboarding and throughout the life of your integration. Keys are issued per environment and per entity.
Create a key
In the Dashboard, create a key by giving it:
- A human-readable name that identifies the integration (for example,
Prod - Main Backend). - A type (secret or public) and an entity scope (organization or merchant).
- The permission scopes it needs, in
resource:actionform. Grant only what the integration requires.
When the key is created, Tokeflow shows the full secret value exactly once. Copy it immediately into your secrets store — it cannot be retrieved again afterward. Only a short, non-sensitive prefix is shown in the Dashboard from that point on, so you can recognize the key without exposing it.
The full key value is displayed only at creation time. If you lose it, you cannot recover it — you must rotate to a new key.
Use separate keys per integration
Issue a distinct key for each service, environment, and integration. Do not share one key across multiple systems.
One key per service. Separate keys mean you can rotate or revoke a single integration without taking the others down, and the Dashboard's per-key activity (such as last-used timestamps) tells you exactly which system did what. A shared key turns every rotation into a coordinated outage.
Store secrets safely
Secret keys belong in a secrets manager or injected as environment variables at deploy time — never hardcoded in source, committed to version control, or embedded in client-side bundles.
// Read the key from the environment, never inline it
const apiKey = process.env.TOKEFLOW_SECRET_KEY;
const res = await fetch("https://api.tokeflow.com/api/v1/transactions", {
headers: {
Authorization: `Bearer ${apiKey}`,
"Content-Type": "application/json",
},
});Recommended practices:
- Keep secrets in a dedicated secrets manager and inject them at runtime.
- Add key files and
.envfiles to.gitignore; scan commits for accidental leaks. - Restrict who can read production secrets.
- Never log full key values. Log at most the non-sensitive prefix.
Rotate keys
Rotate keys on a regular schedule and whenever team members with access leave. Tokeflow supports overlapping rotation so you can roll keys with zero downtime:
- Create a new key with the same scope and permissions in the Dashboard.
- Deploy the new key to your service (via your secrets manager).
- Verify the new key is serving live traffic.
- Revoke the old key once it is no longer in use.
Because old and new keys are valid simultaneously during the overlap, there is no window where requests fail.
Rotate on exposure
If a secret key is ever exposed — committed to a repo, leaked in logs, shared outside your team, or sent to a client — treat it as compromised:
- Create a replacement key immediately.
- Deploy the replacement.
- Revoke the exposed key right away.
Revoking a key takes effect immediately and is irreversible. Any service still using a revoked key will receive 401 Unauthorized (authentication_error). Confirm the replacement is live before you revoke.
Errors you may see
Authentication and authorization problems return the standard error envelope:
{
"error": {
"type": "authentication_error",
"code": "INVALID_API_KEY",
"message": "The provided API key is invalid, revoked, or for a different environment.",
"details": {},
"request_id": "req_8f3c2a1b9d7e",
"timestamp": "2026-01-15T12:30:00.000Z"
}
}| HTTP | Error type | Common cause |
|---|---|---|
| 401 | authentication_error | Missing, malformed, revoked, or wrong-environment key |
| 403 | authorization_error | Valid key, but lacking the required scope or entity access |
If you see a 401 on a key you believe is valid, check that the environment segment of the key matches the environment you intend to call.
Next steps
- Authentication — headers, scopes, and worked auth examples.
- Introduction — how orchestration, routing, and multi-tenant governance fit together.
- SDK overview — using public keys safely in the browser.