***

title: Authentication
subtitle: How to authenticate requests to the Prolifi Public API
slug: api-guides/authentication
---------------------

For clean Markdown of any page, append .md to the page URL. For a complete documentation index, see https://docs.prolifi.io/api-guides/llms.txt. For full documentation content, see https://docs.prolifi.io/api-guides/llms-full.txt.

## API keys

The Prolifi Public API uses Bearer token authentication. Every request must include an `Authorization` header with a valid API key.

```bash
curl https://api.prolifi.co/api/v1/public/plans \
  -H "Authorization: Bearer sk_test_your_secret_key_here"
```

You can generate and manage API keys from the **API Settings** page in the Prolifi dashboard.

## Key types

Prolifi issues two types of API keys, each with different permissions:

| Key type       | Prefix                    | Permissions                | Use case                                        |
| -------------- | ------------------------- | -------------------------- | ----------------------------------------------- |
| **Secret key** | `sk_test_*` / `sk_live_*` | Full read and write access | Server-side integrations                        |
| **Public key** | `pk_test_*` / `pk_live_*` | Read-only access           | Client-side data fetching (plans, entitlements) |

<Warning>
  Secret keys grant full write access to your account. Never expose secret keys in client-side code, public repositories, or browser-accessible bundles. If a secret key is compromised, rotate it immediately from the dashboard.
</Warning>

## Environments

Each API key pair operates in one of two modes:

| Mode     | Key prefix                | Description                                                                |
| -------- | ------------------------- | -------------------------------------------------------------------------- |
| **Test** | `sk_test_*` / `pk_test_*` | Sandbox environment for development and testing. No real charges are made. |
| **Live** | `sk_live_*` / `pk_live_*` | Production environment. Real charges are processed.                        |

<Note>
  Live mode must be explicitly enabled for your account before live keys will authenticate. Using a live key before activation returns a `403` error.
</Note>

## Public key restrictions

Public keys (`pk_*`) are restricted to read-only operations. Any `POST`, `PATCH`, `PUT`, or `DELETE` request made with a public key returns a `403` error:

```json
{
  "error": {
    "type": "permission_error",
    "message": "Public keys (pk_*) are read-only. Use a secret key (sk_*) for write operations."
  }
}
```

This makes public keys safe for use in client-side code where you only need to fetch plans or check entitlements.

## Error responses

| Status | Error type             | Cause                                     |
| ------ | ---------------------- | ----------------------------------------- |
| `401`  | `authentication_error` | Missing, invalid, or unrecognised API key |
| `403`  | `permission_error`     | Live mode not enabled for your account    |
| `403`  | `permission_error`     | Public key used for a write operation     |