API keys (server-to-server)
Every API request includes your key pair as headers: Every request to a tenant-scoped endpoint must include your API key pair:| Header | Value |
|---|---|
x-api-key | Your publishable key, e.g. pk_live_... |
x-api-secret | Your secret key, e.g. sk_live_... |
Content-Type | application/json |
tenantId in the URL or body.
Key types
| Prefix | Purpose | Where it’s safe |
|---|---|---|
pk_live_... / pk_test_... | Publishable key. Identifies your tenant. | OK to ship in clients, logs, frontend code. |
sk_live_... / sk_test_... | Secret key. Authenticates the request. | Server-side only. Never ship to browsers or mobile apps. |
Example
User sessions (dashboard & end-user flows)
The dashboard and user-facing flows (hosted KYC, escrow acceptance) authenticate users with short-lived JWTs plus a session cookie. You don’t manage these directly - they’re issued by/auth/login and refreshed automatically by the dashboard.
If you’re building a customer-facing app that needs a user session, use Single Sign-On below rather than hand-rolling the JWT flow.
Single Sign-On (SSO)
For platforms that want to delegate authentication to their own identity provider, Geldstuck supports SAML 2.0 and OIDC. Contact sales to enable SSO on your tenant. Once enabled, your users are minted a Geldstuck session from your IdP - no password management on our side.Which auth do I use?
| You’re calling… | Use |
|---|---|
/tenants, /kyc, /transactions, /source-of-funds, /webhooks (your backend → our API) | API keys |
The dashboard at app.geldstuck.com | Your Geldstuck login (or SSO) |
| Hosted verification flow in a user’s browser or mobile app | Short-lived verification session token from POST /kyc/onfido |
| Webhook signature verification | Webhook signing secret (different from API keys) |
Rotating keys
Keys should be rotated on a schedule and immediately after any suspected exposure.Deploy the new key alongside the old
Update your secrets manager. Keep the old key live so in-flight requests don’t fail.