How to Get API Keys

API keys overview.

To facilitate secure server-to-server communications with Ottu's API, you will need to obtain and utilize specific credentials known as API Keys, which are differentiated into Private and Public Keys depending on their intended use.

Private Key (API-Key)

• Type: Private Key (API-Key)

• Usage: This key should be used exclusively for server-side communications and must be embedded in the HTTP header as follows:

  • Header: Authorization

  • Value: Api-Key {{api_key}}

• Security: Given its capacity to grant admin-level privileges across all public endpoints, the Private API Key must be handled with utmost caution to prevent unauthorized access or exposure.

Public Key

• Type: Public Key

• Usage: This key is used to initialize the Checkout SDK and is safe for distribution as it does not provide access to critical API functionalities.

• Security: Since the Public Key doesn’t grant access to sensitive API endpoints, it can be safely embedded within client-side applications without risking significant security vulnerabilities.

Security Practices for API Keys

• Private Key Storage: Always store the Private API Key securely within your server environment, well-separated from your publicly accessible codebase. It should never be embedded in client-facing SDKs or made public.

• Public Key Accessibility: The Public Key, designed for client-side use, can be shared with clients to interact with the Checkout SDK.

By adhering to these guidelines and using each key in its respective context, you ensure the integrity and security of your system while maintaining seamless functionality with Ottu's services.