Skip to main content
All Glyde API requests must be authenticated using Bearer tokens. This ensures that only authorized applications can access your account and perform transactions.

API Keys

Glyde provides different types of API keys for different purposes:
Key TypePrefixPurpose
Live Secret Keysk_live_Production transactions with real money
Sandbox Secret Keysk_sandbox_Testing without processing real transactions
Public Keypk_Client-side operations with limited access
Secret keys grant full access to your account. Never expose them in client-side code, commit them to version control, or share them publicly. Store them securely as environment variables.

Getting Your Keys

  1. Log in to your dashboard at dashboard.useglyde.co
  2. Navigate to SettingsAPI Configuration
  3. Copy your keys for the appropriate environment
Your dashboard displays both sandbox and live keys. Use sandbox keys during development and switch to live keys only when you’re ready for production.

Making Authenticated Requests

Include your secret key in the Authorization header of every API request: 
Authorization: Bearer sk_live_your_secret_key

curl -X GET "https://api.useglyde.co/v1/banks" \
  -H "Authorization: Bearer sk_live_your_secret_key"

Authentication Errors

If authentication fails, you’ll receive a 401 Unauthorized response: 
{
  "status": "failed",
  "message": "Unauthenticated"
}
Common causes:
  • Missing Authorization header
  • Invalid or expired API key
  • Using a sandbox key against the production URL (or vice versa)
  • Malformed header (e.g., missing “Bearer” prefix)

Environments

Each environment has its own base URL and requires matching API keys:
ModeBase URLKey Prefix
Sandboxhttps://sandbox.useglyde.co/v1sk_sandbox_
Productionhttps://api.useglyde.co/v1sk_live_
Requests to production with sandbox keys (or vice versa) will fail authentication.

Security Best Practices

  1. Use environment variables — Store keys in environment variables, not in code
  2. Rotate keys periodically — Regenerate keys if you suspect they’ve been compromised
  3. Separate environments — Use different keys for development, staging, and production
  4. Server-side only — Make API calls from your backend, never from browsers or mobile apps
  5. Monitor usage — Review your API logs in the dashboard for unusual activity