# API keys ## Livemode and testing Every account is divided into two universes: one for testnet, and one for mainnet. All requests exist in one of those two universes, and objects in one universe cannot be manipulated by objects in the other. In **test mode**, transactions can only go to **testnet networks**. ## API keys Authenticate your requests to access any of the endpoints in the Openfort API. API keys are used to authenticate these requests. ### Project secret and publishable keys All accounts have a total of four API keys by default—two for test mode and two for live mode: 1. **Test project secret key:** Use this key to authenticate requests on your server when in test mode. By default, you can use this key to perform any API request without restriction. 2. **Test project publishable key:** Use this key for testing purposes in your web or mobile app's client-side code. 3. **Live project secret key:** Use this key to authenticate requests on your server when in live mode. By default, you can use this key to perform any API request without restriction. 4. **Live project publishable key:** Use this key, when you're ready to launch your app, in your web or mobile app's client-side code. | Type | Value | When to use | |-------------|----------------------|-------------| | Secret | `sk_test_ypc...YZp` | **On the server-side**: Must be secret and stored securely in your web or mobile app's server-side code (such as in an environment variable or credential management system) to call Openfort APIs. Don't expose this key on a website or embed it in a mobile application. | | Publishable | `pk_test_ZXb...aWg` | **On the client-side**: Can be publicly-accessible in your web or mobile app's client-side code (such as `openfort-js`). | ### Embedded wallet keys (Shield) All accounts have a total of three API keys by default for Shield functionality: 1. **Shield secret key:** Use this key to store the recovery share of your users on server. 2. **Shield publishable key:** Use this key, when you're ready to launch your app, in your web or mobile app's client-side code. 3. **Shield encryption share key:** Only used whenever you're using the [automatic recovery](/docs/configuration/recovery-methods) to encrypt the recovery share. ### Backend wallet keys All accounts have one active **wallet secret** that needs to be used in order to control your backend wallets. To learn more about how the wallet secret works, head to [backend wallet authentication](/docs/products/server/authentication). ## Reveal an API secret key in your dashboard Openfort APIs use your secret key to authenticate requests from your server. To find your API secret key for test mode: 1. Open the [API keys](https://dashboard.openfort.io/api-keys) page. 2. Under **API keys**, in the **Secret key** row, click **Reveal test key** and save the value. ## Regenerate API keys :::warning Regenerating an API key will invalidate the current key and generate a new one. This action cannot be undone. If you have set up webhooks or registered a Shield project with the key, you will need to update them with the new key. ::: Openfort supports the ability to regenerate, delete and create API keys. You can do this at any time in the [API keys](https://dashboard.openfort.io/api-keys) section of the dashboard. * **Delete and regenerate API keys**: ![generate-delete-api-keys](https://www.openfort.io/images/blog/regenerate_delete_api_keys_f6b94994b0.png) * **Generate new API keys**: You can create multiple API keys when you're planning to generate a new one to avoid disruption to your integration. ![generate-api-keys](https://www.openfort.io/images/blog/generate_api_keys_5807b195fa.png) ## Limit API keys interaction by IP Openfort supports limiting the IPs that can interact with Openfort services using specific API keys. To enable this, navigate to the [API keys](https://dashboard.openfort.io/api-keys) section of the dashboard and press the three dots next to the **secret key**. A new page appears with an **Allowlist IPs** option: ![whitelist-ips](https://www.openfort.io/images/blog/regenerate_delete_api_keys_f6b94994b0.png) You can then add multiple IPs per single secret key. If you try to make a request from an unauthorized IP, you receive a `Forbidden` error: ```json { "error": { "type": "invalid_request_error", "message": "Access is limited for this address" } } ```