All Simiz API requests require authentication via your secret API key passed as a Bearer token.

API key types

Key typePrefixEnvironmentUsage
Test secret keysk_test_SandboxDevelopment & testing
Live secret keysk_live_ProductionReal transactions
Publishable keypk_test_ / pk_live_BothClient-side (checkout forms)
Secret keys must never be exposed in client-side code, Git repos, or logs. Use publishable keys for client-side operations.

Authenticating requests

Include your secret key in the Authorization header: 
curl https://api.simiz.io/v1/transactions \
  -H "Authorization: Bearer sk_test_xxxxxxxxxxxx"

Managing API keys

  1. Go to Dashboard → Settings → API Keys
  2. Your keys are displayed (secret keys are partially hidden)
  3. Click Regenerate to generate new keys
  4. The old key is immediately revoked

API key scopes

  • Each API key now includes explicit scopes.
  • Route access is default-deny for API-key auth unless the route is marked with allowed scopes (or explicitly public).
  • PUBLISHABLE keys can only receive publishable-safe scopes.
After regenerating a key, update your application immediately. The old key stops working as soon as the new one is generated.

Sandbox vs Production

The API key prefix determines the environment:
  • sk_test_ → All requests go to the sandbox (no real money)
  • sk_live_ → All requests go to production (real transactions)
The base URL is the same for both: https://api.simiz.io/v1/
Use environment variables to switch between sandbox and production without code changes:
# .env.development
SIMIZ_SECRET_KEY=sk_test_xxxxxxxxxxxx

# .env.production
SIMIZ_SECRET_KEY=sk_live_xxxxxxxxxxxx

Best practices

  • Use environment variables — Never hardcode API keys
  • Restrict key permissions — Use keys with the minimum required permissions
  • Rotate keys regularly — Regenerate keys periodically
  • Monitor usage — Check the Dashboard for unusual API activity