Authentication
ParaSta uses API key authentication. Include your secret key in the Authorization header as a Bearer token.
Authorization: Bearer sk_test_abc123...Two key types
Section titled “Two key types”| Key | Prefix | Use | Permissions |
|---|---|---|---|
| Secret | sk_test_... / sk_live_... | Server-side only | All endpoints |
| Publishable | pk_test_... / pk_live_... | Browser, mobile, embedded widgets | Create payments and checkout sessions only — no read, no refund |
Never expose secret keys in client-side code. They grant full account access.
Test mode vs Live mode
Section titled “Test mode vs Live mode”The key prefix determines the mode automatically — there is no separate base URL for test mode. See Test and Live Mode.
Rotating keys
Section titled “Rotating keys”Rotate or revoke keys in the ParaSta Dashboard → Developers → API Keys. Rotation does not affect in-flight requests; cached keys continue working until the rotated key is deleted.