Authorization header:
Keys
- Keys are created in the business dashboard under Tools → API Management (up to 10 active keys per business).
- The full key is shown once at creation. Rigaly stores only a hash — if you lose a key, roll it or create a new one.
- Every key has full access to your business’s data and nothing else — keys never see other businesses.
last_used_atis tracked per key so you can spot unused keys.
Key lifecycle
Security best practices
Keep keys server-side
Keep keys server-side
Never embed keys in mobile apps, browser JavaScript, or public repositories. All calls should come from your backend.
Use environment variables
Use environment variables
Store keys in environment variables or a secret manager, not in code. The
rgly_sk_ prefix makes accidental commits detectable by secret scanners.One key per environment
One key per environment
Use separate keys for production and staging so you can revoke one without affecting the other.
Rotate periodically
Rotate periodically
Roll keys on a schedule (e.g. quarterly). Rolling is atomic — the new key works immediately.
Account requirements
API access is included for all approved businesses at no extra platform cost — pricing stays the same: your monthly subscription plus the per-transaction fee. Requests are rejected with403 while an account is pending, blocked (payment issue), or suspended.