API Keys

Learn the difference between Salable's publishable and secret API keys, when to use each, and how to keep your backend secure.

How API Keys Work

Both keys are passed as a Bearer token in the Authorization header:

Authorization: Bearer <your-key>

Salable looks up the key and uses the key's type to determine what access to grant. You don't need to specify which type of key you're using, the key itself carries that information.

The Two Key Types

Publishable Key

The publishable key is safe to include in frontend code such as: browser applications, mobile apps, or any client that runs outside your server. Because it's visible to end users, it only grants access to endpoints that are safe for public exposure.

One endpoint that accepts the publishable key is: GET /api/entitlements/check. This endpoint tells your frontend whether a specific grantee has access to an entitlement.

const response = await fetch(`https://salable.app/api/entitlements/check?granteeId=${userId}`, {
    headers: {
        Authorization: `Bearer ${process.env.SALABLE_PUBLISHABLE_KEY}`
    }
});

Secret Key

The secret key grants full access to the Salable API and must only be used in server-side code, API routes, serverless functions, and backend services. Never expose it in client-side code such as the web browser.

const response = await fetch('https://salable.app/api/products', {
    headers: {
        Authorization: `Bearer ${process.env.SALABLE_SECRET_KEY}`
    }
});

Use the secret key for all operations beyond entitlement checks: creating products and plans, managing subscriptions, recording usage, generating checkout links, and any other administrative action.

Test Mode and Live Mode Keys

Each environment has its own pair of keys. Test Mode keys work with Stripe test cards and don't process real payments. Live Mode keys are for production.

Keys are provisioned automatically the first time you visit the API Keys page on the dashboard. You'll find both your publishable and secret keys there.

Keeping Your Secret Key Secure

Store your secret key in environment variables, never in source code. Any exposure of this key is a potential security risk for you and your users.

# .env.local
SALABLE_SECRET_KEY=your_secret_key_here