When you need a key
The buy button works with no key at all — it talks to public, project-scoped endpoints. A key is for the other path: calls you make from your own server, where you create a checkout or read a transaction’s status in code. Keys live under your project’s API Keys tab.
Create a key
Click Create key, give it a name you’ll recognise later — usually where it runs, like “Production server” — and click Generate key. The name is only a label for you; it doesn’t change what the key can do (a key is scoped to this project).
Copy it once
The key is shown once, right after you generate it. It starts with cmk_. Copy it now and store it somewhere safe — we keep only a hash, so we can’t show it to you again. Lose it and you simply create a new one and delete the old.
Treat the key like a password. Use it only from server-side code, send it in the Authorization header as a bearer token, and never put it in a web page, a public repo, or anything that ships to a buyer’s browser. Anyone with the key can act for your project.
Use, list, and revoke
Saved keys are listed by name, a masked prefix, and the date created. You never see the full key again — the prefix is just enough to tell them apart. The trash icon revokes a key immediately: any code still using it starts getting rejected, so rotate by creating the new key first, deploying it, then deleting the old one.
For what you can call with the key — creating a checkout from your own code, handling events, and polling status — see Using the API.