Skip to main content

Authentication

Omise uses API keys to authenticate requests. You'll need different keys for different operations to keep your integration secure.

Overviewโ€‹

Omise uses HTTP Basic Authentication where your API key serves as the username and the password field is left blank. All API requests must be made over HTTPS - calls made over plain HTTP will fail.

Three Types of API Keysโ€‹

1. Public Keyโ€‹

Used for: Client-side operations (browser, mobile app)

Format: pkey_test_... (test) or pkey_... (live)

Capabilities:

  • โœ… Create tokens (tokenize cards)
  • โœ… Create sources (for alternative payment methods)
  • โœ… View tokens and sources
  • โŒ Create charges (requires secret key)
  • โŒ Access account information

Safe to expose: Yes, your public key can safely be included in client-side code like JavaScript, mobile apps, or HTML.

Example Usageโ€‹

# Note the colon after the key (username:password format with empty password)
curl https://vault.omise.co/tokens \
  -X POST \
  -u pkey_test_5xp6c8ltm5wb5o45cls: \
  -d "card[name]=Somchai Prasert" \
  -d "card[number]=4242424242424242" \
  -d "card[expiration_month]=12" \
  -d "card[expiration_year]=2027" \
  -d "card[security_code]=123"
Why Use Public Keys?

Public keys let you tokenize sensitive data on the client side, so card information never touches your servers. This significantly reduces your PCI compliance requirements.

2. Secret Keyโ€‹

Used for: Server-side operations

Format: skey_test_... (test) or skey_... (live)

Capabilities:

  • โœ… Create charges
  • โœ… Create refunds
  • โœ… Manage customers
  • โœ… Create and manage transfers
  • โœ… Access all account information
  • โœ… Perform all operations

Safe to expose: NO! Secret keys must be kept confidential and only used server-side.

Example Usageโ€‹

curl https://api.omise.co/charges \
  -X POST \
  -u skey_test_5xp6c8n0jvds5mmjizz: \
  -d "amount=100000" \
  -d "currency=thb" \
  -d "card=tokn_test_5xp6ca4dtzx5cskm9mk"
Keep Secret Keys Secret

Never commit secret keys to version control, expose them in client-side code, or share them publicly. Always use environment variables or secure configuration management.

3. Chain Keyโ€‹

Used for: Sub-merchant operations (if you're building a marketplace/platform)

Format: ck_test_... (test) or ck_... (live)

Capabilities:

  • โœ… Make requests on behalf of connected sub-merchants
  • โœ… All capabilities of secret key for sub-accounts

Safe to expose: NO! Treat chain keys with the same security as secret keys.

Chain keys are only relevant if you're using Omise Connect to manage sub-merchant accounts. Most merchants won't need chain keys.

Test vs Live Keysโ€‹

Each key type has both test and live versions:

EnvironmentPublic Key PrefixSecret Key PrefixPurpose
Testpkey_test_skey_test_Development & testing
Livepkey_skey_Production transactions
Automatic Environment Detection

Test keys only work in test mode and live keys only work in live mode. This prevents accidental charges during development.

Where to Find Your Keysโ€‹

  1. Log into your Omise Dashboard
  2. Navigate to Settings โ†’ Keys
  3. You'll see your keys for both test and live environments

Test Keysโ€‹

Test keys are available immediately after signup - no verification required!

Live Keysโ€‹

Live keys become available after you complete your business verification. See the Going Live guide for details.

How to Use API Keysโ€‹

HTTP Basic Authenticationโ€‹

Omise uses HTTP Basic Authentication where:

  • Username: Your API key
  • Password: Empty (leave blank)

The authentication header format is:

Authorization: Basic base64(api_key:)

Note the colon after the API key - the password field is intentionally left empty.

In Code Examplesโ€‹

# Public key - creates token
curl https://vault.omise.co/tokens \
  -u pkey_test_YOUR_KEY:

# Secret key - creates charge
curl https://api.omise.co/charges \
  -u skey_test_YOUR_KEY:

Security Best Practicesโ€‹

DO โœ…โ€‹

  1. Use Environment Variables

    # .env file
    OMISE_PUBLIC_KEY=pkey_test_...
    OMISE_SECRET_KEY=skey_test_...

  2. Store Keys Securely

    • Use secrets management services (AWS Secrets Manager, Azure Key Vault, etc.)
    • Use environment variables on your server
    • Encrypt keys in your configuration

  3. Rotate Keys Regularly

    • You can generate new keys in your dashboard
    • Old keys remain valid until you delete them
    • Update your code gradually to avoid downtime

  4. Use Different Keys for Different Environments

    • Development: Test keys
    • Staging: Test keys
    • Production: Live keys

  5. Monitor Key Usage

    • Check your dashboard for unauthorized API calls
    • Set up alerts for unusual activity

DON'T โŒโ€‹

  1. Never Commit Keys to Version Control

    # Add to .gitignore
    .env
    .env.local
    config/secrets.yml

  2. Never Expose Secret Keys Client-Side

    // โŒ WRONG - Secret key in JavaScript
    const omise = require('omise')({
      secretKey: 'skey_test_...'  // Visible to users!
    });

  3. Never Share Keys Publicly

    • Don't post keys in support tickets
    • Don't share keys via email or chat
    • Don't include keys in screenshots

  4. Never Hard-Code Keys

    // โŒ WRONG
    define('OMISE_SECRET_KEY', 'skey_test_5xp...');

    // โœ… CORRECT
    define('OMISE_SECRET_KEY', getenv('OMISE_SECRET_KEY'));

Authentication Errorsโ€‹

Invalid Keyโ€‹

{
  "object": "error",
  "location": "https://www.omise.co/api-errors#authentication-failure",
  "code": "authentication_failure",
  "message": "authentication failed"
}

Causes:

  • Using the wrong key type (public vs secret)
  • Typo in the API key
  • Using a deleted key
  • Key doesn't match the environment (test vs live)

Solution: Double-check your key in the dashboard and ensure you're using the correct key type.

Missing Authenticationโ€‹

{
  "object": "error",
  "location": "https://www.omise.co/api-errors#authentication-required",
  "code": "authentication_required",
  "message": "authentication required"
}

Cause: No API key provided in the request.

Solution: Ensure your HTTP client is configured to send Basic Authentication headers.

Key Managementโ€‹

Generating New Keysโ€‹

  1. Go to Settings โ†’ Keys in your dashboard
  2. Click Generate New Key
  3. Choose the key type (Public or Secret)
  4. Copy the new key immediately (you can't retrieve it later)
  5. Update your application code
  6. Test thoroughly before deleting old keys

Deleting Keysโ€‹

  1. Generate and deploy new keys first
  2. Ensure all services are using the new keys
  3. Delete the old keys from your dashboard
  4. Monitor for any authentication errors
Key Deletion

Deleting a key immediately invalidates it. Make sure no services are still using a key before deletion!

FAQโ€‹

Can I use my secret key in mobile apps?

No! Mobile app code can be decompiled, exposing your secret key. Always:

  • Use your public key in mobile apps
  • Send tokens to your server
  • Create charges server-side with your secret key

See our mobile SDK guides for proper implementation.

How do I switch from test to live mode?

Simply replace your test keys with live keys in your code:

// Change from:
const omise = require('omise')({
  secretKey: 'skey_test_...'
});

// To:
const omise = require('omise')({
  secretKey: 'skey_...'  // No "_test_" prefix
});

Your integration code remains exactly the same!

What if my keys are compromised?
  1. Immediately: Generate new keys in your dashboard
  2. Delete the compromised keys
  3. Update all your services with new keys
  4. Monitor your account for unauthorized charges
  5. Contact support@omise.co to report the incident

We recommend rotating keys as a precaution if:

  • A developer with key access leaves your company
  • You suspect a security breach
  • Keys were accidentally committed to public repositories
Can I have multiple sets of keys?

Each account has one set of test keys and one set of live keys. However, you can:

  • Regenerate keys at any time (old keys remain valid)
  • Create multiple Omise accounts for different brands/businesses
  • Use sub-accounts with Omise Connect (for platforms)
Do keys expire?

No, API keys don't expire automatically. However, we recommend:

  • Rotating keys periodically (every 6-12 months)
  • Generating new keys when team members with access leave
  • Immediately replacing keys if compromised
What's the difference between vault.omise.co and api.omise.co?
  • vault.omise.co: Used with public keys for tokenization (keeping card data secure)
  • api.omise.co: Used with secret keys for all other operations

This separation ensures sensitive card data never reaches your servers or the main API.

Questions? Contact support@omise.co or check the API Reference for detailed endpoint documentation.