Quick Start: Get your API keys from the StateSet Dashboard and make your first authenticated request in minutes.
π Overview
StateSet uses API keys to authenticate requests. Authentication is performed via HTTP headers using the Bearer token format. All API requests must be made over HTTPS.π API Key Types
Test Mode
Prefix:
sk_test_Use for development and testing. Transactions are simulated and no real money moves.Live Mode
Prefix:
sk_live_Use for production. All transactions are real and irreversible.π Authentication Methods
Standard Authentication
Include your API key in theAuthorization header:
SDK Authentication
When using our official SDKs, initialize with your API key:π‘οΈ Security Best Practices
1. Use Environment Variables
1. Use Environment Variables
Never hardcode API keys in your source code. Use environment variables:
.env
2. Implement Key Rotation
2. Implement Key Rotation
Regularly rotate your API keys (recommended every 90 days):
- Generate a new API key in the dashboard
- Update your application to use the new key
- Verify everything works correctly
- Revoke the old key
3. Use Separate Keys per Environment
3. Use Separate Keys per Environment
- Development: Use test keys with limited permissions
- Staging: Use test keys with production-like permissions
- Production: Use live keys with minimal required permissions
4. Restrict Key Permissions
4. Restrict Key Permissions
Create keys with only the permissions needed:
5. Monitor Key Usage
5. Monitor Key Usage
Track API key usage to detect anomalies:
π Advanced Authentication
HMAC Signatures (High-Security Operations)
For sensitive operations like large transfers or issuance, add HMAC signatures:OAuth 2.0 (Partner Integrations)
For third-party integrations, use OAuth 2.0:π Rate Limits
API keys have different rate limits based on your plan:| Plan | Requests/Second | Requests/Day | Burst Limit |
|---|---|---|---|
| Free | 10 | 1,000 | 20 |
| Starter | 100 | 100,000 | 200 |
| Growth | 1,000 | 10,000,000 | 2,000 |
| Enterprise | Custom | Custom | Custom |
Handling Rate Limits
π¨ Error Responses
Authentication errors return standardized responses:π Key Management API
Programmatically manage your API keys:π§ͺ Testing Authentication
Use our test endpoint to verify your authentication:π± Mobile & Frontend Security
Public Keys (Read-Only Operations)
Backend Proxy Pattern
π Troubleshooting
403 Forbidden
403 Forbidden
- Check if key has required permissions
- Verify youβre not exceeding rate limits
- Ensure accessing allowed endpoints for key type
Key Not Working
Key Not Working
Run diagnostics:Check response headers and body for details.
π Next Steps
Quick Start Guide
Make your first API call in 5 minutes
SDKs & Libraries
Official SDKs for all major languages
Webhooks
Secure webhook authentication
API Reference
Complete API documentation