Understanding API Keys
VerifyTaka provides two types of keys. Choosing the right one ensures your platform remains secure while providing a seamless experience for your users.
Public Key
vt_pk_...Designed for client-side environments like browsers or mobile apps. Since these environments are visible to anyone, the Public Key has restricted permissions to prevent abuse.
Core Behavior
- Trust Level: Low. Requests are strictly validated.
- CORS Restricted: Only works from your "Allowed Origins".
- Webhook Mandatory: Since the browser can't be trusted, the final confirmation is sent directly to your server via Webhook.
Secret Key
vt_sk_...Designed for server-to-server communication. This key is your master key and should never be shared or exposed in frontend code.
Core Behavior
- Trust Level: High. Assumed to be a request from the owner.
- Instant Verification: Marks transactions as used and returns the full result immediately.
- No CORS: Can be used from any backend environment (PHP, Python, Node, etc).
The Verification Flow
How our backend treats requests based on the key type.
Using Secret Key
1. Request Sent
Your backend calls our API with the Secret Key.
2. Instant Processing
We verify the TxnID and Amount. If valid, we mark it as "Used" immediately.
3. Full Response
Your server receives the full transaction details to complete the order.
Using Public Key
1. Browser Request
A visitor's browser sends the TxnID using the Public Key.
2. Direct Notification (Webhook)
If valid, we notify your backend server directly via a signed Webhook.
3. Secure Confirmation
Your server confirms the payment via the Webhook, not the browser response.
Security Warning
Never use your Secret Key in any file that is sent to the client (HTML, JavaScript, CSS). If your Secret Key is compromised, rotate it immediately in your Dashboard.