Skip to main content

API Keys

Eventop uses API keys to authenticate requests. Your API keys carry significant privileges, so keep them secure!

Key Types

Test Keys

Format: sk_test_...
  • Use with Devnet environment
  • No real funds
  • Safe for development and testing

Live Keys

Format: sk_live_...
  • Use with Mainnet environment
  • Real cryptocurrency transactions
  • Production use only

Creating API Keys

1

Navigate to Settings

Go to dashboard.eventop.xyz/settings/api-keys
2

Click Create API Key

Choose a descriptive name and select the environment
3

Save Your Key

Copy the key immediately - it’s only shown once!
4

Store Securely

Save the key in your environment variables or secrets manager
Never commit API keys to version control! Use environment variables instead.

Using API Keys

Include your API key in the Authorization header with the Bearer scheme: 
curl https://api.eventop.xyz/checkout/create \
  -H "Authorization: Bearer sk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
    "planId": "premium-monthly",
    "customerEmail": "user@example.com",
    "successUrl": "https://yourdomain.com/success"
  }'

Environment Variables

Store API keys in environment variables: 
# Devnet (testing)
EVENTOP_API_KEY=sk_test_abc123...

# Mainnet (production)
# EVENTOP_API_KEY=sk_live_xyz789...

# Webhook secret (from dashboard)
EVENTOP_WEBHOOK_SECRET=whsec_abc123...

# Your merchant wallet
MERCHANT_WALLET=7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU

Key Management

Rotating Keys

Rotate your API keys periodically for security:
1

Create New Key

Generate a new API key in the dashboard
2

Update Your Code

Deploy your application with the new key
3

Verify Operation

Confirm everything works with the new key
4

Revoke Old Key

Delete the old key from the dashboard

Revoking Compromised Keys

If an API key is compromised:
  1. Immediately revoke it in the dashboard
  2. Create a new key with a different name
  3. Update your application with the new key
  4. Review recent activity for suspicious requests

Security Best Practices

Never hardcode API keys in your source code. Use environment variables or a secrets manager.
Use different keys for development and production. Never use live keys in testing.
Create separate keys for different purposes (e.g., one for checkouts, one for webhooks).
Check the “Last Used” timestamp in the dashboard to detect unauthorized usage.
Rotate API keys every 90 days as a security best practice.

Troubleshooting

Problem: Your API key is invalid or expired.Solution:
  • Verify the key is correct (check for typos)
  • Ensure you’re using the right key for the environment
  • Check if the key has been revoked in the dashboard
Problem: Using a test key on mainnet URLs or vice versa.Solution:
  • Test keys (sk_test_...) only work with api-devnet.eventop.xyz
  • Live keys (sk_live_...) only work with api.eventop.xyz
  • Let the SDK auto-detect the environment from your key prefix