Use API keys safely
API keys let external systems connect to AtomicPay. Treat them like sensitive credentials because they can give systems access to business data or actions.
This guide covers seller workflow and security habits. Endpoint reference, authentication details, and payload examples stay in AtomicPay API Docs.
When to use the API
| Use the API when | Use the dashboard when |
|---|---|
| A backend system needs automated access. | A team member can complete the task manually. |
| You need recurring syncs for purchases, subscriptions, or customers. | You only need one export or quick review. |
| You need to connect AtomicPay to internal tools. | You are still testing the operational process. |
| A workflow requires programmatic cancellation or lookup. | The action is rare and safer through the UI. |
API key safety
| Practice | Why it matters |
|---|---|
| Store keys in environment variables | Avoids exposing secrets in code or docs. |
| Limit who can view keys | Reduces accidental leaks. |
| Rotate keys regularly | Limits the impact of old or exposed credentials. |
| Revoke unused keys | Removes access from abandoned integrations. |
| Separate environments | Keeps test and production workflows from mixing. |
Create and manage API access
- Confirm the integration truly needs API access.
- Review the required data or action.
- Create the API key in the appropriate developer or integration area.
- Store the key securely outside source code.
- Configure the external system.
- Test with a low-risk request.
- Monitor errors and usage.
- Rotate or revoke the key when access changes.
Troubleshoot API access
- Key was copied incorrectly.
- Key belongs to the wrong business or environment.
- External system is using the wrong authentication format.
- Integration does not have permission for the attempted action.
- Key was rotated or revoked.
- Endpoint details changed or are being called incorrectly.
FAQ
Where are API endpoints documented?
Use AtomicPay API Docs for endpoint reference, authentication, payloads, and technical examples.
Can I put an API key in frontend code?
No. Store API keys securely on the server side or in protected environment variables. Do not expose them in browser code, public repositories, or screenshots.
When should I revoke an API key?
Revoke it when an integration is retired, a vendor no longer needs access, a teammate leaves, or you suspect the key was exposed.