Where API Keys Live
API keys are per-project. You manage them from each project’s detail page: Dashboard → Projects → [your project] → API Keys section There is no standalone “API Keys” menu item — keys always belong to a specific project.Key Types
| Type | Prefix | What happens |
|---|---|---|
| Test | test_ | Sandbox — no real money; test phone number works; completes instantly |
| Live | live_ | Production — real USSD sent; real money moves |
Creating a Key
- Go to payments.rohopay.com → Projects
- Click the project you want to integrate
- In the project detail page, click Generate Key in the API Keys section
- Choose
TestorLive - Add an optional label (e.g., “Server – Production”)
- Copy the key immediately — it is never shown again
Key Display
After creation, only the prefix is stored and shown (e.g.,test_abc123••••••). If you lose the key, you must generate a new one.
Revoking a Key
Click the revoke icon next to any key in the project detail page. Revoked keys return401 UNAUTHORIZED immediately — there is no grace period.
Rotating a Key
Key rotation generates a fresh key and revokes the old one atomically. Use it when a key may have been exposed:- Dashboard: Project detail → API Keys → Rotate button next to the key
- API (session auth):
POST /dashboard/projects/{id}/api-keys/{keyId}/rotate
Security Rules
Server-side only for live_ keys
Server-side only for live_ keys
Never put a
live_ key in browser JavaScript, a mobile app bundle, or a public repo. Use Next.js API routes, Express middleware, or a backend server.One key per service, not per developer
One key per service, not per developer
Create one live key per deployed service (your API server). Rotate when a team member with access leaves.
Use secrets managers in production
Use secrets managers in production
On Vercel: Environment Variables (encrypted). On Railway/Render: Secret env vars. Never hardcode in source.