Authentication
Authenticate your API requests using API keys. Keep your secret keys secure and never expose them in client-side code.
API keys
The Shift4 Payments API uses API keys to authenticate requests. You can view and manage your API keys in the developer dashboard.
There are two types of API keys:
- Secret keys - Begin with
sk_. Use these on your server to make API calls. Never share or expose these keys publicly. - Publishable keys - Begin with
pk_. Use these in client-side code to tokenize payment information.
Each key comes in test and live variants:
- Test mode - Contains
testin the key (e.g.,sk_test_abc123). Use for development and testing. - Live mode - Contains
livein the key (e.g.,sk_live_xyz789). Use for real transactions in production.
Never commit secret keys to version control or expose them in client-side JavaScript. Use environment variables to store API keys securely.
Making requests
Include your API key in the Authorization header of each request using Bearer authentication:
cURL
curl https://api.shift4.com/v1/charges \
-H "Authorization: Bearer sk_test_your_key" \
-d amount=1999 \
-d currency=USD \
-d description="Test charge"
Authentication example
import Shift4 from '@shift4/payments-sdk';
const shift4 = new Shift4('sk_test_your_key');
// SDK automatically includes the key in all requests
const charges = await shift4.charges.list();
Testing
Use test API keys for development and testing. Test mode doesn't process real transactions or interact with real banking networks.
Test card numbers
Use these test card numbers to simulate different scenarios:
| Card Number | Description |
|---|---|
4242 4242 4242 4242 | Successful charge |
4000 0000 0000 0002 | Declined (generic) |
4000 0000 0000 0341 | Declined (insufficient funds) |
4000 0000 0000 9995 | Declined (expired card) |
Use any future expiration date, any 3-digit CVC, and any billing address for test cards.