Client-Side Authentication
Secure authentication for frontend and mobile applications
Client-Side Authentication
For frontend applications, use client keys instead of secret API keys. Client keys are designed to be safely included in client-side code.
Client keys
Client keys have the prefix pb_ and can only perform limited operations:
- Tokenize payment methods
- Initialize payment sessions
- Retrieve public configuration
// Safe to use in frontend code
const plexy = new Plexy('pb_live_your_client_key');Get a client key
Go to Developers > Settings > API Keys in your Dashboard.
Payment sessions
For sensitive operations, use server-generated payment sessions:
// Server-side: Create a payment session
const session = await plexy.paymentSessions.create({
amount: 5000,
currency: 'USD',
});// Client-side: Use the session ID
const plexy = new Plexy('pb_live_your_client_key');
await plexy.confirmPayment(session.client_secret);Security considerations
Never use secret API keys (pr_) in client-side code. They will be visible to
anyone who inspects your application.
| Do | Don't |
|---|---|
Use client keys (pb_) in frontend | Expose secret keys (pr_) in frontend |
| Restrict domains | Allow all domains |
| Use payment sessions for amounts | Pass amounts from client |
| Validate on server | Trust client-side data |
See also
- API Authentication - Server-side authentication