Authentication
The Skiro API uses bearer token authentication. Every request must include your API key in the Authorization header.
API keys
There are two types:
| Prefix | Use for |
|---|---|
sk_test_... | Development and testing. No real cards charged. |
sk_live_... | Production. Charges real cards. |
Create as many keys as you want from the API keys page. Labeling them helps when you have multiple environments or services.
Keep keys secret
Anyone with your live key can charge real cards. Don't commit them, log them, or put them in browser code. Use environment variables, and revoke any key that leaks.
Authorization header
Pass your key as a bearer token:
curl https://api.skiro.io/v1/checkout \
-H "Authorization: Bearer sk_live_..." \
-H "Content-Type: application/json" \
-d '{"amount": 49.99, "currency": "USD", "payout_currency": "USDT"}'Authentication errors
If your key is missing, malformed, or revoked, you get a 401 Unauthorized:
{
"error": "invalid_api_key",
"message": "The provided API key was not found or has been revoked."
}Related responses:
403 Forbidden: key is valid but not allowed to perform the action (e.g. a test key creating a live charge).429 Too Many Requests: you've hit the rate limit. Retry with exponential backoff.
Rotating keys
Revoke a key from the dashboard. Once revoked, any request using it fails with 401.
For zero-downtime rotation:
- Create a new key with the same label.
- Deploy it to your environment.
- Confirm the new key is being used in your logs.
- Revoke the old key.