All Simiz API requests require authentication via your secret API key passed as a Bearer token.

API key types

Key typePrefixEnvironmentUsage
Test secret keysmz_test_sk_SandboxDevelopment & testing
Live secret keysmz_live_sk_ProductionReal transactions
Publishable keysmz_test_pk_ / smz_live_pk_BothClient-side (checkout forms)
Secret keys must never be exposed in client-side code, Git repos, or logs. Use publishable keys for client-side operations.

Authenticating requests

Include your secret key in the Authorization header: 
curl https://api.simiz.io/v1/transactions \
  -H "Authorization: Bearer smz_test_sk_xxxxxxxxxxxx"

Managing API keys

  1. Go to Dashboard → Settings → API Keys
  2. Your keys are displayed (secret keys are partially hidden)
  3. Click Regenerate to generate new keys
  4. The old key is immediately revoked

API key scopes

  • Each API key now includes explicit scopes.
  • Route access is default-deny for API-key auth unless the route is marked with allowed scopes (or explicitly public).
  • PUBLISHABLE keys can only receive publishable-safe scopes.
After regenerating a key, update your application immediately. The old key stops working as soon as the new one is generated.

Sandbox vs Production

The API key prefix determines the environment:
  • smz_test_sk_ → All requests go to the sandbox (no real money)
  • smz_live_sk_ → All requests go to production (real transactions)
The base URL is the same for both: https://api.simiz.io/v1/
Use environment variables to switch between sandbox and production without code changes:
# .env.development
SIMIZ_SECRET_KEY=smz_test_sk_xxxxxxxxxxxx

# .env.production
SIMIZ_SECRET_KEY=smz_live_sk_xxxxxxxxxxxx

Best practices

  • Use environment variables — Never hardcode API keys
  • Restrict key permissions — Use keys with the minimum required permissions
  • Rotate keys regularly — Regenerate keys periodically
  • Monitor usage — Check the Dashboard for unusual API activity