Authentication
The Ching API authenticates every request with a Bearer token. Each project has two keys - one for test mode, one for live mode - generated the moment you create the project.
API Keys
Create and rotate API keys from the Developers page in the Ching dashboard. Each key is scoped to a single project, inherits its livemode, and looks like this:
sk_test_a1b2c3d4e5f6g7h8... # 96 characters total, test mode sk_live_a1b2c3d4e5f6g7h8... # 96 characters total, live mode
Security: Treat your API keys like passwords. Never ship them to a browser, mobile app, or public repo. Store them in environment variables or a secrets manager, and rotate them if one leaks.
Making Authenticated Requests
Include your API key in the Authorization header as a Bearer token:
GET /v1/customers HTTP/1.1 Host: api.ching.co.il Authorization: Bearer sk_test_your_api_key_here Content-Type: application/json
Test vs Live
The key you use selects the mode. Test and live data are completely isolated - a customer created with sk_test_ is invisible to queries that use sk_live_, and vice versa.
| Prefix | Mode | Payments | Activation |
|---|---|---|---|
sk_test_ | Test | Simulated, no money moves | Active immediately |
sk_live_ | Live | Real charges through your payment provider | Requires a business identity and an active payment provider |
A live key used before activation returns:
{
"success": false,
"error": {
"status": 403,
"code": "LIVE_KEY_INACTIVE",
"message": "Live mode requires an approved payment provider. Complete provider onboarding first."
}
}Missing or Invalid Keys
Requests without a key, or with a revoked one, return 401 Unauthorized:
{
"success": false,
"error": {
"status": 401,
"code": "NO_ACCESS",
"message": "No access"
}
}