API Keys

API keys authenticate requests between servers and the Martis API. Each key is a unique credential that identifies the requesting application and determines access permissions. Proper key management is essential for maintaining security and preventing unauthorized access.

Overview

An API key consists of a secret string that must be included in the Authorization header of every API request. Keys are environment-specific — sandbox keys only work with the sandbox API, and production keys only work with the production API.

ComponentDescription
API KeySecret credential generated by Martis
EnvironmentSandbox or production scope
PermissionsAccess level granted to the key

API keys provide full access to the account. Never expose keys in client-side code, public repositories, or logs.

Generate an API Key

Only account owners or authorized team members can create API keys.

Steps

  1. Sign in to the Creator Hub

  2. Navigate to Integration → API Keys

    Integration Menu

  3. Click Create new API key and enter a descriptive name

    Create API Key

  4. Copy the secret key immediately — it is displayed only once

    Copy Secret

Key Storage

Store API keys securely using one of the following methods:

MethodDescription
Environment VariablesStore keys in server environment variables
Secrets ManagerUse a dedicated secrets management service (e.g., AWS Secrets Manager, HashiCorp Vault)
Encrypted ConfigurationStore in encrypted configuration files with restricted access

Security Requirements

  • Never commit keys to version control
  • Never include keys in client-side code
  • Rotate keys periodically and immediately upon suspected compromise
  • Use separate keys for each service or application
  • Remove unused keys promptly

IP Restrictions

Restrict API key usage to specific IP addresses for enhanced security. When enabled, requests from non-listed IP addresses are rejected.

No IP restrictionsIP restrictions configured
ConfigurationAllowed IPsBest For
UnrestrictedAny IP addressDevelopment, internal testing
RestrictedListed IPs onlyProduction, locked-down environments

Configure IP Restrictions

  1. Navigate to Integration → API Keys
  2. Select the key to configure
  3. Click Manage IP Restrictions
  4. Add allowed IP addresses or CIDR ranges
  5. Save changes

IP restrictions add a security layer but do not replace proper key management. A leaked key from an allowed IP still poses a risk.

Key Rotation

Regular key rotation limits the impact of potential key exposure.

Rotation Process

  1. Generate a new API key
  2. Update the application to use the new key
  3. Verify the application functions correctly
  4. Revoke the old key

Rotation Triggers

  • Scheduled rotation (recommended: every 90 days)
  • Team member departure
  • Suspected key compromise
  • Security audit findings

Revoke a Key

Revoked keys immediately stop working. This action cannot be undone.

  1. Navigate to Integration → API Keys
  2. Locate the key to revoke
  3. Click the options menu (⋮)
  4. Select Revoke
  5. Confirm the revocation

Before revoking a key, ensure no active services depend on it. Revocation causes immediate authentication failures for any requests using that key.

Using API Keys

Include the API key in the Authorization header using the Bearer scheme:

Request with API key

curl https://api-staging.martis.id/api/v1/payments/charges \
  --header 'Authorization: Bearer {API_KEY}' \
  --header 'Content-Type: application/json'

Header Format

Authorization: Bearer sk_live_abc123xyz...

Error Responses

StatusDescription
401 UnauthorizedInvalid, expired, or missing API key
403 ForbiddenValid key but insufficient permissions for the requested action

Environment-Specific Keys

Each environment requires its own API key:

EnvironmentKey PrefixBase URL
Sandboxsk_test_https://api-staging.martis.id
Productionsk_live_https://api.martis.id

Using a sandbox key with the production API (or vice versa) returns a 401 Unauthorized error.

Best Practices

  • Descriptive naming — Name keys by purpose (e.g., "Backend Production", "Webhook Service")
  • Minimal access — Grant only the permissions each service requires
  • Separate keys — Use different keys for different services or environments
  • Audit regularly — Review active keys and remove those no longer in use
  • Monitor usage — Track API key usage patterns to detect anomalies
Authentication Guide

Was this page helpful?