> ## Documentation Index
> Fetch the complete documentation index at: https://dev.moonpay.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API and SDK credentials

> Understand the tokens and credentials you need for your integration.

<Callout icon="key" color="#903DD9" iconType="regular">
  During the preview, we will work with you directly to set up your account and
  credentials.
</Callout>

## Server credentials

### Secret key

A server-to-server credential passed in the `X-Api-Key` request header.

<Warning>
  Keep your secret key secure and never expose it. Never commit it to your
  codebase or send it to your frontend.
</Warning>

<CodeGroup>
  ```text Test mode theme={null}
  X-Api-Key: sk_test_123
  ```

  ```text Live mode theme={null}
  X-Api-Key: sk_live_123
  ```
</CodeGroup>

## Client credentials

The check and connect frames return an encrypted `credentials` string. Once
decrypted, it contains the following tokens. Use them to make API requests from
your frontend and initialize frames for sensitive actions.

```json Decrypted credentials theme={null}
{
  "accessToken": "eyJhbGci...",
  "clientToken": "eyJhbGci...",
  "expiresAt": "2026-12-09T07:16:57Z"
}
```

<Warning>
  Never persist client credentials to disk or storage. Hold them in memory only.
  Use your server to get a new `sessionToken` on each app visit. When you
  receive new credentials (for example, authenticated credentials after a
  connect flow), replace the previously stored ones.
</Warning>

### Session token

A token you create on your server and send to your frontend. You use it to start a [connect flow](/platform/guides/connect-a-customer).

### Access token

A token returned from the [check frame](/platform/frames/check) and the [connect frame](/platform/frames/connect). Use it to make API requests from your frontend (via the SDK or directly), such as:

* Getting quotes
* Listing payment methods
* Listing transactions

Anonymous credentials returned when `connectionRequired` give you a scoped access token. Authenticated credentials returned after the connect flow give you a fully-privileged one. Always replace stored credentials when you receive new ones.

This token is intended for client use and shouldn’t be persisted to disk.

### Client token

A token returned from the [check frame](/platform/frames/check) and the [connect frame](/platform/frames/connect). Use it to initialize subsequent frames (for example, the Apple Pay frame or the connect frame). Within frames, this token is used to make authenticated requests.

When `connectionRequired` is returned, pass this anonymous `clientToken` to the connect frame. After authentication, replace it with the `clientToken` from the authenticated credentials.

This token is intended for client use and shouldn’t be persisted to disk.
