> ## Documentation Index
> Fetch the complete documentation index at: https://developer.notchpay.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate with the Notch Pay API and secure your integration

Proper authentication is essential for securing your Notch Pay integration. This guide explains the key concepts of authentication and how to get started with implementing it in your applications.

<Callout type="info">
  For detailed API specifications and code examples in multiple languages, see the [Authentication API Reference](/api-reference/authentication).
</Callout>

## API Keys Overview

Notch Pay uses API keys to authenticate requests to our API. When you create a Notch Pay account, you'll receive two sets of API keys:

<CardGroup cols={2}>
  <Card title="Test API Keys" icon="vial" color="#16A34A">
    Used for development and testing. These keys contain the `test_` prefix.

    All transactions made with test API keys don't affect your live data and are only visible in test mode.
  </Card>

  <Card title="Live API Keys" icon="rocket" color="#16A34A">
    Used for production environments. Only use these keys when your application is ready for real transactions.
  </Card>
</CardGroup>

You can find your API keys in your [Notch Pay Business suite](https://business.notchpay.co) under Settings > API Keys.

## Types of API Keys

Notch Pay provides two types of API keys for different purposes:

<Tabs>
  <Tab title="Public Keys">
    Public keys (starting with `pk_`) are used for client-side operations that don't require access to sensitive data. These keys can be safely included in your frontend code.

    Example: `pk_test_123456789abcdef`

    **Use for**: Creating payment sessions, initializing the Notch Pay SDK in client-side code
  </Tab>

  <Tab title="Private Keys">
    Private keys (starting with `sk_`) are used for server-side operations that require access to sensitive data. These keys should never be exposed in your frontend code or public repositories.

    Example: `sk_test_123456789abcdef`

    **Use for**: Accessing account information, creating transfers, managing webhooks
  </Tab>
</Tabs>

## Authentication Methods

Notch Pay supports several authentication methods depending on the type of operation:

### Standard Authentication

For most API requests, include your API key in the `Authorization` header:

```
Authorization: YOUR_PUBLIC_KEY
```

### Advanced Authentication

Some sensitive operations require additional authentication using the `X-Grant` header with your private key:

```
X-Grant: YOUR_PRIVATE_KEY
```

### Sync Account Authentication

When working with connected accounts, specify the account using the `X-Sync` header:

```
X-Sync: SYNC_ACCOUNT_ID
```

## API Key Security

<Steps>
  <Step title="Keep Keys Secure">
    Never share your private keys in publicly accessible areas such as GitHub, client-side code, or social media.
  </Step>

  <Step title="Use Environment Variables">
    Store API keys in environment variables or secure vaults, not in your application code.
  </Step>

  <Step title="Implement Access Controls">
    Limit who can access your API keys within your organization.
  </Step>

  <Step title="Rotate Keys Regularly">
    Periodically rotate your API keys, especially if you suspect they may have been compromised.
  </Step>

  <Step title="Use Test Keys for Development">
    Always use test API keys for development and testing to avoid accidental charges.
  </Step>
</Steps>

## Common Authentication Errors

The API returns specific error codes and messages when authentication fails:

| Error                        | Description                         | Solution                                                     |
| ---------------------------- | ----------------------------------- | ------------------------------------------------------------ |
| 401 - API key missing        | No API key was provided             | Include your API key in the `Authorization` header           |
| 401 - Invalid API key        | The API key is incorrect or revoked | Check that you're using the correct API key                  |
| 403 - Missing grant key      | Advanced authentication required    | Include your private key in the `X-Grant` header             |
| 403 - Invalid grant key      | The private key is incorrect        | Verify your private key is correct                           |
| 404 - Sync account not found | Invalid sync account ID             | Check that the sync account exists and you have access to it |

## Next Steps

* [Authentication API Reference](/api-reference/authentication) - Detailed API specifications and code examples
* [Error Handling](/get-started/errors) - Learn about error handling in the Notch Pay API
* [Security Best Practices](/security/best-practices) - Discover more ways to secure your integration
