Skip to main content
Quick Start: Get your API keys from the StateSet Dashboard and make your first authenticated request in minutes.

πŸ” Overview

StateSet uses API keys to authenticate requests. Authentication is performed via HTTP headers using the Bearer token format. All API requests must be made over HTTPS.

πŸ”‘ API Key Types

Test Mode

Prefix: sk_test_Use for development and testing. Transactions are simulated and no real money moves.

Live Mode

Prefix: sk_live_Use for production. All transactions are real and irreversible.
Never expose your secret API keys in client-side code, public repositories, or anywhere else accessible to the public.

πŸ“‹ Authentication Methods

Standard Authentication

Include your API key in the Authorization header:

SDK Authentication

When using our official SDKs, initialize with your API key:

πŸ›‘οΈ Security Best Practices

Never hardcode API keys in your source code. Use environment variables:
.env
Regularly rotate your API keys (recommended every 90 days):
  1. Generate a new API key in the dashboard
  2. Update your application to use the new key
  3. Verify everything works correctly
  4. Revoke the old key
  • Development: Use test keys with limited permissions
  • Staging: Use test keys with production-like permissions
  • Production: Use live keys with minimal required permissions
Create keys with only the permissions needed:
Track API key usage to detect anomalies:

πŸ”’ Advanced Authentication

HMAC Signatures (High-Security Operations)

For sensitive operations like large transfers or issuance, add HMAC signatures:

OAuth 2.0 (Partner Integrations)

For third-party integrations, use OAuth 2.0:

πŸ“Š Rate Limits

API keys have different rate limits based on your plan:
PlanRequests/SecondRequests/DayBurst Limit
Free101,00020
Starter100100,000200
Growth1,00010,000,0002,000
EnterpriseCustomCustomCustom

Handling Rate Limits

🚨 Error Responses

Authentication errors return standardized responses:
Common authentication errors:

πŸ”„ Key Management API

Programmatically manage your API keys:

πŸ§ͺ Testing Authentication

Use our test endpoint to verify your authentication:
Success response:

πŸ“± Mobile & Frontend Security

Never use secret API keys in mobile apps or frontend code. Use our public keys or implement a backend proxy.

Public Keys (Read-Only Operations)

Backend Proxy Pattern

πŸ†˜ Troubleshooting

  • Verify API key is correct and properly formatted
  • Check if key is expired or revoked
  • Ensure Bearer prefix is included
  • Confirm using correct environment (test vs live)
  • Check if key has required permissions
  • Verify you’re not exceeding rate limits
  • Ensure accessing allowed endpoints for key type
Run diagnostics:
Check response headers and body for details.

πŸ“š Next Steps

Quick Start Guide

Make your first API call in 5 minutes

SDKs & Libraries

Official SDKs for all major languages

Webhooks

Secure webhook authentication

API Reference

Complete API documentation