API Request Authentication

All API requests to Devdraft must be authenticated using API keys. This guide explains how to obtain and use your API keys securely.

API Keys

Devdraft uses API keys to authenticate requests. You can manage your API keys from your dashboard.

Live Keys

Production Environment
  • Format: pk_live_... (publishable) and sk_live_... (secret)
  • Process real transactions
  • Connect to production systems

Test Keys

Development & Testing
  • Format: pk_test_... (publishable) and sk_test_... (secret)
  • Safe for development
  • No real money processed

Key Permissions

Client-Side Safe: These keys can be safely used in client-side code as they have limited permissions.
  • Limited to creating payment intents and retrieving public data
  • Cannot access sensitive account information
  • Safe to expose in frontend applications

Authentication Methods

Bearer Token Authentication

Include your secret API key in the Authorization header: 
curl https://api.devdraft.ai/v1/customers \
  -H "Authorization: Bearer sk_test_your_secret_key_here" \
  -H "Content-Type: application/json"

Basic Authentication

Alternatively, use HTTP Basic Authentication with your secret key as the username: 
curl https://api.devdraft.ai/v1/customers \
  -u sk_test_your_secret_key_here: \
  -H "Content-Type: application/json"

Request Headers

Required Headers

Authorization: Bearer sk_test_your_secret_key_here
Content-Type: application/json

Optional Headers

Idempotency-Key: unique_request_identifier
User-Agent: YourApp/1.0
X-API-Version: 2024-01-01

Code Examples

const axios = require('axios');

const devdraft = axios.create({
  baseURL: 'https://api.devdraft.ai/v1',
  headers: {
    'Authorization': 'Bearer sk_test_your_secret_key_here',
    'Content-Type': 'application/json'
  }
});

// Make a request
const response = await devdraft.get('/customers');

Security Best Practices

Protecting Your Keys

  1. Never expose secret keys in client-side code
  2. Use environment variables to store keys
  3. Rotate keys regularly for enhanced security
  4. Restrict key permissions to minimum required scope

Environment Variables

Store your keys securely: 
# .env file
DEVDRAFT_SECRET_KEY=sk_test_your_secret_key_here
DEVDRAFT_PUBLISHABLE_KEY=pk_test_your_publishable_key_here

Key Rotation

Regularly rotate your API keys:
  1. Generate a new API key in your dashboard
  2. Update your application configuration
  3. Test the new key in a staging environment
  4. Deploy to production
  5. Delete the old key

Error Responses

Authentication Errors

401 Unauthorized: Invalid or missing API key 
{
  "error": {
    "type": "authentication_error",
    "message": "Invalid API key provided"
  }
}
403 Forbidden: Valid key but insufficient permissions 
{
  "error": {
    "type": "permission_error",
    "message": "This API key does not have permission to perform this action"
  }
}

Testing Authentication

Test your authentication setup: 
curl https://api.devdraft.ai/v1/account \
  -H "Authorization: Bearer sk_test_your_secret_key_here"
A successful response confirms your authentication is working correctly.