Skip to main content

Authentication

MuPag keeps a strict line between public keys and server-side credentials.

sk_* for authenticated operations

Use Authorization: Bearer sk_test_... in sandbox and Authorization: Bearer sk_live_... in production. These keys belong to your backend, workers and jobs.

pk_* only for card tokenization

When checkout needs card tokenization, use the approved PSP tokenization flow. A pk_* key never replaces sk_* for merchant API calls.

Operational rules

  • Never send sk_* from the browser.
  • Never place secrets in URLs, query strings or screenshots.
  • Send Idempotency-Key on POST operations.
  • If you rotate credentials, allow a short overlap window and clear old caches.

Did this page unblock the next step?

Feedback stays inside the docs flow and should never include customer or card data.