Guide
Server-side API keys
Payment APIs are not browser toys. If a secret can be extracted from a client, it will be—eventually and painfully.
Definitions: Webhook secret · Merchant approval
Conceptual operational diagram for this guide. Not live merchant data or metrics.
01
What does “server-side API keys” mean?
It means payment creation, privileged reads, and secret-bearing configuration changes are performed from your backend using keys stored in server-side secret management—not from web bundles, mobile apps, or public repositories.
02
Why does this matter for crypto payments?
Crypto payment flows often combine payer UX with high-risk capabilities. Separating “customer checkout surfaces” from “secret-bearing integration” reduces accidental exposure and narrows incident blast radius.
03
How does a healthy checkout architecture look?
The browser talks to your backend. Your backend talks to Kobbopay. Status pages and payer experiences can still exist—without shipping merchant API keys to clients.
04
Common mistakes
- Embedding keys in mobile apps “temporarily” for a demo that becomes production.
- Pasting secrets into support chats, screenshots, or shared documents.
- Sharing the same key across unrelated services “for convenience.”
05
Security considerations
Rotate on compromise, scope keys to least privilege where your program supports it, and treat webhook secrets with the same seriousness as API keys.
Read: /docs#concepts, Security.