Key Naming Convention
Paychainly API keys follow the format:
pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx (production)
pk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxx (sandbox)The prefix makes it easy to grep your codebase for accidentally committed keys.
Creating Keys in the Dashboard
- Navigate to Settings → API Keys → New Key.
- Name the key (e.g., "Production Backend", "Staging CI").
- Set an optional expiry date.
- Copy the key — it is shown only once.
Hashed Storage
Paychainly stores only the HMAC-SHA256 hash of your key — not the key itself. This means if the database is compromised, attackers cannot recover your raw API key.
Environment-Per-Key Strategy
| Environment | Key Type | Expiry |
|---|---|---|
| Production | pk_live_... | 1 year (auto-rotate) |
| Staging | pk_test_... | 3 months |
| Local Dev | pk_test_... | No expiry |
| CI/CD | pk_test_... | 30 days |
Key Rotation Procedure
- Generate new key in dashboard.
- Deploy new key to environment variables (zero-downtime if using secret managers).
- Wait 15 minutes to confirm no errors.
- Revoke old key from dashboard.
Detecting Leaked Keys
Set up GitHub secret scanning and git-secrets pre-commit hook to prevent keys from being committed. Paychainly dashboard shows last-used timestamp per key — unexpected activity is a sign of compromise.