Browse Guides
Move to another guide without going back to the documentation hub.
Generate the Right API Key and Keep It Safe
Use API Access when Sabdov needs to connect to a custom storefront, backend, or headless setup. The main rule is simple: public keys for browser-side use, secret keys for server-side use.
Availability
API Access is a Pro feature. If the page or controls are missing, verify plan access and the current workspace before troubleshooting key behavior.
Choose the Key Type First
Public Key
Use this for widgets, browser requests, or client-side forms. Pair it with Allowed Origins so only approved domains can use it.
- ●Safe in frontend code
- ●Lock to approved domains
Secret Key
Use this only in backend code or secure server environments. It should never appear in browser bundles, theme files, or public repositories.
- ▲Server-only use
- ●High-privilege access
Safe Key Creation Flow
Open Settings -> API Access
Open the API Access section in the merchant dashboard.
Choose public or secret
Pick `New public key` for browser-side use or `New secret key` for backend use.
Name it clearly
Use a name that tells you where the key will live, such as `Main Storefront` or `Backend Sync`.
Copy and store it immediately
Sabdov shows the full key only once. Save it in your password manager, secret store, or server environment before closing the modal.
Key Inventory
Use this list to see which keys are active, revoked, and still worth keeping.
| Name | Prefix | Status | Created | Last Used |
|---|---|---|---|---|
| Main Storefront | pk_live | Active | Shown when the key is created | Updates after the first live request |
| Backend Sync | sk_live | Active | Shown when the key is created | Visible from server-side activity |
| Retired Integration | pk_live | Revoked | Kept for audit history | No recent activity |
Allowed Origins
Allowed Origins is the browser allowlist for your public key. Add the exact domains where browser requests should be accepted.
Common Key and Domain Issues
| Error Message | Potential Cause | Resolution |
|---|---|---|
| Browser request blocked by CORS | The live storefront domain is not on the allowlist, or the saved domain does not exactly match the one making the request. | Add the exact browser origin, including protocol and subdomain, then retry from that same site. |
| Generated key is no longer visible | Sabdov shows new API keys only once at creation time for security reasons. | Generate or rotate the key again, copy it immediately, and move it into the correct password manager or server environment before closing the modal. |
| Secret key ended up in frontend code | A secret key was pasted into browser code, a theme file, or a public environment variable instead of staying on the server. | Remove the exposed key, generate a replacement, and keep the new secret only in secure server-side environments. |
| Key creation or origin controls are unavailable | This workspace does not include API Access, or you are looking at a workspace where the feature is not enabled. | Check plan access first, then confirm you are in the correct workspace before troubleshooting the rest of the page. |
Before you generate a key
Choose the key type before you generate anything, lock public keys to trusted domains, and keep secret keys out of browser-side code.
Was this helpful?