API keys

API keys authenticate server-side requests to the CashXChain API.

Environments

CashXChain uses separate keys for sandbox and production.

• Sandbox keys start with cx_sandbox_.
• Production keys start with cx_live_.

Never use production keys in local development or client-side applications.

Key scopes

API keys can be scoped by permission:

• accounts:read
• accounts:write
• wallets:read
• beneficiaries:write
• quotes:write
• payments:write
• statements:read
• webhooks:write
• admin:read

Use the narrowest scope that supports your integration.

Creating keys

Admins can create keys in the dashboard or through the API where enabled. A secret is shown only once. Store it immediately in a secret manager.

Rotation

Rotate keys regularly and immediately after suspected exposure.

Recommended rotation process:

1. Create a new key with the same scopes.
2. Deploy the new key to your secret manager.
3. Confirm successful API calls.
4. Revoke the old key.
5. Review logs for unexpected usage.

Security requirements

• Store keys only in server-side secret storage.
• Do not commit keys to Git.
• Do not expose keys in frontend code.
• Restrict keys by environment and scope.
• Monitor failed authentication attempts.
• Revoke unused keys.

Compromised keys

If a key is compromised, revoke it immediately and contact CashXChain support if production payment capability may have been affected.