API keys

Learn how to use your account's API keys.

Digital River uses your account's API keys to authenticate your API requests. If you do not include your key when you send an API request or use an incorrect or outdated key, Digital River returns an error.

Your account provides separate keys for testing and for running live transactions. You can use these keys when sending API requests in either test or live mode. Resources in one mode cannot change resources in another mode.

There are two types of API keys: public and secret.

  • Public API keys–Use these keys to identify your account with Digital River. You can use them with your DigitalRiver.js JavaScript code. Public keys can only create sources.

  • Secret API keys–Use your account's secret API key when you want to send an API request to Digital River without restriction. Keep these keys confidential and only store them on your servers.

Digital River provides each account with four keys: a public and secret pair for both test mode and live mode.

Get your API keys

Prerequisite: You need to obtain your Digital River API credentials before you can access your keys in the Digital River Dashboard. See Obtaining Digital River API credentials for instructions.

To get your keys, sign in to Digital River Dashboard. The API keys page displays your public key. To see your secret key, click Reveal token or Reveal test token, provide your credentials, and click Authenticate. The Token field will display the key.

API keys

Test and live modes

The test and live modes behave similarly with the following exceptions:

  • You can only use test payment information in test mode. Card networks and payment providers do not process payments when in test mode.

  • The flow is different for some payment methods using Sources in live mode. They may require more steps when in test mode.

  • In test mode, Digital River retries webhooks three times over a few hours (as opposed to 72 hours for live mode) when it does not receive a successful acknowledgment.

Secure your API keys and secrets

Limit access to your API keys and secrets to those who need them. Do not store them in a version control system.

Rotating keys

You can rotate your API key in your Dashboard if you think an API key is compromised. When you rotate the key, the Dashboard blocks it and generates a new one. When you rotate an API key, you can choose to block the old key immediately or allow it to work for 12 hours. When you allow it to work for 12 hours, it gives you time to make the transitions. In either case, you can use the new key immediately.

To rotate a key:

  1. From the API keys page on the Dashboard, click More options (vertical ellipses) associated with the key you want to rotate and click Rotate.

  2. Complete the fields in the Rotate API Key dialog and click Rotate API Key.

Restricted keys

Use your account’s secret API keys when you want to perform any API request without restriction.

If you want more security, you can create restricted API keys. A restricted key reduces risk when using or building services by providing the minimum level of access and permissions a service needs to access specific resources in the Digital River API. Use restricted keys when you want to limit access for services that interact with the Digital River API.

To create a restricted key:

  1. From the API keys page on the Dashboard, click Create Restricted Key.

  2. Complete the fields and click Create Key.

You can delete a restricted key when you no longer need it, or you suspect it is compromised. You can also rotate or edit a restricted key to change its level of access.

To delete a restricted key:

  1. From the API keys page on the Dashboard, click More options (vertical ellipses) associated with the restricted key you want to delete and click Delete.

  2. Complete the fields in the Delete API Key dialog and click Confirm.