Authentication | Prolifi

API keys

The Prolifi Public API uses Bearer token authentication. Every request must include an Authorization header with a valid API key.

$ curl https://api.prolifi.co/api/v1/public/plans \
>   -H "Authorization: Bearer sk_test_your_secret_key_here"

You can generate and manage API keys from the API Settings page in the Prolifi dashboard.

Key types

Prolifi issues two types of API keys, each with different permissions:

Key type	Prefix	Permissions	Use case
Secret key	`sk_test_` / `sk_live_`	Full read and write access	Server-side integrations
Public key	`pk_test_` / `pk_live_`	Read-only access	Client-side data fetching (plans, entitlements)

Secret keys grant full write access to your account. Never expose secret keys in client-side code, public repositories, or browser-accessible bundles. If a secret key is compromised, rotate it immediately from the dashboard.

Environments

Each API key pair operates in one of two modes:

Mode	Key prefix	Description
Test	`sk_test_` / `pk_test_`	Sandbox environment for development and testing. No real charges are made.
Live	`sk_live_` / `pk_live_`	Production environment. Real charges are processed.

Live mode must be explicitly enabled for your account before live keys will authenticate. Using a live key before activation returns a 403 error.

Public key restrictions

Public keys (pk_*) are restricted to read-only operations. Any POST, PATCH, PUT, or DELETE request made with a public key returns a 403 error:

1 {
2   "error": {
3     "type": "permission_error",
4     "message": "Public keys (pk_*) are read-only. Use a secret key (sk_*) for write operations."
5   }
6 }

This makes public keys safe for use in client-side code where you only need to fetch plans or check entitlements.

Error responses

Status	Error type	Cause
`401`	`authentication_error`	Missing, invalid, or unrecognised API key
`403`	`permission_error`	Live mode not enabled for your account
`403`	`permission_error`	Public key used for a write operation