Client-Side Authentication
Secure authentication for frontend and mobile applications
Client-Side Authentication
For frontend applications, use client keys instead of secret API keys. Client keys are designed to be safely included in client-side code.
Client keys
Client keys have the prefix pb_ and can only perform limited operations:
- Tokenize payment methods
- Initialize payment sessions
- Retrieve public configuration
// Safe to use in frontend code
const plexy = new Plexy('pb_live_your_client_key');Get a client key
Go to Developers > Settings > API Keys in your Dashboard.
Payment sessions
For sensitive operations, use server-generated payment sessions:
curl -X POST https://api.plexypay.com/v2/payment-sessions \
-H "x-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"amount": 5000, "currency": "USD"}'// Client-side: Use the session ID
const plexy = new Plexy('pb_live_your_client_key');
await plexy.confirmPayment(session.client_secret);Security considerations
Never use secret API keys (pr_) in client-side code. They will be visible to
anyone who inspects your application.
| Do | Don't |
|---|---|
Use client keys (pb_) in frontend | Expose secret keys (pr_) in frontend |
| Restrict domains | Allow all domains |
| Use payment sessions for amounts | Pass amounts from client |
| Validate on server | Trust client-side data |
See also
- API Authentication - Server-side authentication