API Key Types
We support two distinct key types for every store. You can manage these in your Dashboard under Integrations → Developer.Publishable Keys (tybrite_pk_...)
Publishable keys are intended for use in frontend applications, such as React websites, mobile apps, or headless storefronts.
- Scope: Read-only access to non-sensitive data (Products, Categories, Search).
- Security: Safe to include in client-side bundles or public repositories.
- Usage:
Secret Keys (tybrite_sk_...)
Secret keys are for server-side environments and provide full administrative access to your commerce data.
- Scope: Full Read/Write access (Orders, Customers, Payments, Settings).
- Security: Must never be exposed to the client. Keep them in environment variables (
TYBRITE_SECRET_KEY). - Usage:
Environments & Sandbox
The key prefix determines which environment your requests target — there is no separate sandbox base URL.
What sandbox isolation means in practice:
- Orders, customers, cart items, wishlist entries, product reviews, and messaging conversations created with a
testkey are stored in the sandbox partition and are never returned tolivekey requests. - Payment providers switch to test mode automatically when a
testkey is used — Stripe test mode, PayPal sandbox, Paystack test keys, M-Pesa sandbox — regardless of what your store’s payment settings show. - Every authenticated response includes a
Tybrite-Environment: production | sandboxheader so you can confirm which partition resolved.
Authorization Header
For direct REST API calls, provide your key in theAuthorization header using the Bearer scheme:
Advanced Security: HMAC Signing
Sensitive operations, such as order creation or payment initialization, require an additional layer of security to prevent request tampering and replay attacks. For these requests, you must provide verified headers.Generating the Signature
The signature is a SHA-256 HMAC hash of the payload, where the payload is the current Unix timestamp concatenated with the JSON request body.POST /v1/payments/initializePOST /v1/ordersPATCH /v1/orders/:id
🔄 Idempotency Protection
To prevent duplicate charges and orders—especially during network retries—all state-changing financial operations require a mandatoryIdempotency-Key header.
- Mechanism: The server tracks these keys. If a request is retried with the same key, the server returns the original response with an
idempotent: trueflag. - Best Practice: Generate a unique UUID or a hash of the transaction details (e.g.,
payment-order_123-ts_456).
POST /v1/payments/initializePOST /v1/ordersPATCH /v1/orders/:id
Customer Session Tokens (xAuthToken)
While API keys authenticate your application to Galactic Core, customer session tokens authenticate end customers to their own data within your store. They are required on top of an API key for endpoints that access or modify a specific customer’s records (cart, wishlist, profile, gift cards, messaging).
Why both? A leaked publishable key alone gives an attacker no way to read or modify any specific customer’s data — they would also need that customer’s JWT, which only the AuthenticationService can issue, and only after a successful login / OTP verification / magic link redemption.
Affected endpoints
Example flow
Key Usage by Endpoint
Every endpoint accepts one (or a combination) of the credentials above. Use this table to pick the right key before you call. The legend:pkorsk— either a publishable or a secret key works.skonly — a secret key is required; a publishable key returns403 Forbidden.pk(browser) — a publishable key is enough; safe to call directly from the browser.- + session — also requires a customer session token (
xAuthToken, orx-external-authfor bring-your-own-auth). - + HMAC — also requires a request signature.
- Public — no key required.
- Operator — a marketplace operator key (marketplace deployments only).
Discovery & catalog (read)
Cart & wishlist (storefront writes)
Customers & authentication
Checkout — orders & payments
Engagement
Platform & integrations
Marketplace (operator deployments)
Session Management
When building authenticated customer experiences (like “My Account” or “Quick Checkout”), the Tybrite SDK handles session persistence viaxAuthToken.
- Login: Call
client.authentication.login()to receive a session and user object. - Persistence: Store the
session.access_tokensecurely (httpOnly cookies preferred). - Requests: Provide the token via the
xAuthTokenSDK parameter (orx-auth-tokenheader for raw REST) on protected endpoints. - Refresh: Call
client.authentication.refreshToken()~60s beforeexpires_atto rotate to a fresh session.

