Authentication
MuPag keeps a strict line between public keys and server-side credentials.
sk_* for authenticated operations
Use Authorization: Bearer sk_test_... in sandbox and Authorization: Bearer sk_live_... in production. These keys belong to your backend, workers and jobs.
pk_* only for card tokenization
When checkout needs card tokenization, use the approved PSP tokenization flow. A pk_* key never replaces sk_* for merchant API calls.
Operational rules
- Never send
sk_*from the browser. - Never place secrets in URLs, query strings or screenshots.
- Send
Idempotency-KeyonPOSToperations. - If you rotate credentials, allow a short overlap window and clear old caches.
Did this page unblock the next step?
Feedback stays inside the docs flow and should never include customer or card data.