Base URL
All endpoints are relative to the following production base URL:
https://api.swiftpay.finance
Authentication
Both key types are found under Settings → API Keys in the SwiftPay dashboard.
| Key | Prefix | Visibility | Where used |
|---|
| Secret key | sk_live_* | Shown once at creation/rotation — store it securely | Server-side only — invoice and transaction endpoints |
| Publishable key | pk_live_* | Always visible in the dashboard | Client-side safe — checkout integration and hosted widget |
X-Swift-Key header on protected server-side requests:
Public endpoints (GET /v1/utils/chains, GET /v1/utils/tokens) require no authentication.
Never expose your secret key (sk_live_*) in client-side code, public repositories, or logs.
Store it in an environment variable or secrets manager and only use it server-side. If you believe
your secret key has been compromised, rotate it immediately from Settings → API Keys.
Key rotation
To rotate either key from the dashboard:
- Open Settings → API Keys
- Click Rotate next to the key you want to rotate
- Confirm the dialog — a new key is generated immediately
- Update your environment variables or secrets manager with the new value
Rotated keys are invalidated immediately. Copy and deploy the new key to your environment before
your next request — any request still using the old key will be rejected.
Checkout integration (publishable key)
The publishable key (pk_live_*) is the credential used when embedding the SwiftPay hosted
checkout or iFrame widget. It is safe to include in client-side code because it can only create
checkout sessions — it cannot access merchant data or transaction history.
