Skip to main content
Tybrite uses a dual-key architecture to ensure maximum security without sacrificing developer experience. Depending on where your code runs, you will use different keys and authentication patterns.

API Key Types

We support two distinct key types for every store. You can manage these in your Dashboard under Integrations → Developer.

Publishable Keys (tybrite_pk_...)

Publishable keys are intended for use in frontend applications, such as React websites, mobile apps, or headless storefronts.
  • Scope: Read-only access to non-sensitive data (Products, Categories, Search).
  • Security: Safe to include in client-side bundles or public repositories.
  • Usage:

Secret Keys (tybrite_sk_...)

Secret keys are for server-side environments and provide full administrative access to your commerce data.
  • Scope: Full Read/Write access (Orders, Customers, Payments, Settings).
  • Security: Must never be exposed to the client. Keep them in environment variables (TYBRITE_SECRET_KEY).
  • Usage:

Environments & Sandbox

The key prefix determines which environment your requests target — there is no separate sandbox base URL. What sandbox isolation means in practice:
  • Orders, customers, cart items, wishlist entries, product reviews, and messaging conversations created with a test key are stored in the sandbox partition and are never returned to live key requests.
  • Payment providers switch to test mode automatically when a test key is used — Stripe test mode, PayPal sandbox, Paystack test keys, M-Pesa sandbox — regardless of what your store’s payment settings show.
  • Every authenticated response includes a Tybrite-Environment: production | sandbox header so you can confirm which partition resolved.
Build and test your entire integration with tybrite_sk_test_* keys. When you’re ready for production, swap to tybrite_sk_live_* and the right environment follows automatically — no code changes needed.

Authorization Header

For direct REST API calls, provide your key in the Authorization header using the Bearer scheme:

Advanced Security: HMAC Signing

Sensitive operations, such as order creation or payment initialization, require an additional layer of security to prevent request tampering and replay attacks. For these requests, you must provide verified headers.

Generating the Signature

The signature is a SHA-256 HMAC hash of the payload, where the payload is the current Unix timestamp concatenated with the JSON request body.
Endpoints requiring HMAC signing:
  • POST /v1/payments/initialize
  • POST /v1/orders
  • PATCH /v1/orders/:id

🔄 Idempotency Protection

To prevent duplicate charges and orders—especially during network retries—all state-changing financial operations require a mandatory Idempotency-Key header.
  • Mechanism: The server tracks these keys. If a request is retried with the same key, the server returns the original response with an idempotent: true flag.
  • Best Practice: Generate a unique UUID or a hash of the transaction details (e.g., payment-order_123-ts_456).
Endpoints requiring an Idempotency Key:
  • POST /v1/payments/initialize
  • POST /v1/orders
  • PATCH /v1/orders/:id

Customer Session Tokens (xAuthToken)

While API keys authenticate your application to Galactic Core, customer session tokens authenticate end customers to their own data within your store. They are required on top of an API key for endpoints that access or modify a specific customer’s records (cart, wishlist, profile, gift cards, messaging). Why both? A leaked publishable key alone gives an attacker no way to read or modify any specific customer’s data — they would also need that customer’s JWT, which only the AuthenticationService can issue, and only after a successful login / OTP verification / magic link redemption.

Affected endpoints

Example flow

Recommended storage: prefer httpOnly, Secure, SameSite=Lax cookies over localStorage. Cookies are immune to XSS-based token theft and the browser handles attachment automatically. Reach for localStorage only when your storefront is a native mobile WebView or a same-origin SPA without a backing server, and pair it with a strict CSP.
Never log, persist server-side, or share customer access tokens between sessions. Each token is bound to a single customer and grants direct read/write access to their cart, wishlist, profile, and messages.

Key Usage by Endpoint

Every endpoint accepts one (or a combination) of the credentials above. Use this table to pick the right key before you call. The legend:
  • pk or sk — either a publishable or a secret key works.
  • sk only — a secret key is required; a publishable key returns 403 Forbidden.
  • pk (browser) — a publishable key is enough; safe to call directly from the browser.
  • + sessionalso requires a customer session token (xAuthToken, or x-external-auth for bring-your-own-auth).
  • + HMACalso requires a request signature.
  • Public — no key required.
  • Operator — a marketplace operator key (marketplace deployments only).

Discovery & catalog (read)

Cart & wishlist (storefront writes)

Customers & authentication

Checkout — orders & payments

Engagement

Platform & integrations

Marketplace (operator deployments)


Session Management

When building authenticated customer experiences (like “My Account” or “Quick Checkout”), the Tybrite SDK handles session persistence via xAuthToken.
  1. Login: Call client.authentication.login() to receive a session and user object.
  2. Persistence: Store the session.access_token securely (httpOnly cookies preferred).
  3. Requests: Provide the token via the xAuthToken SDK parameter (or x-auth-token header for raw REST) on protected endpoints.
  4. Refresh: Call client.authentication.refreshToken() ~60s before expires_at to rotate to a fresh session.
Our TypeScript SDK exposes refreshToken so you can wire up a scheduled rotation. See the Authentication Service for the full method reference and lifecycle diagram.