Flowwithlit Docs
OVERVIEW

Authentication

Flowwithlit uses two types of credentials depending on who is calling the API: API keys for merchant-to-server calls, and JWT tokens for user-logged-in browser sessions.

API Keys

You get four API keys from the Developer API dashboard — two for test mode, two for live mode — plus one Webhook Secret shared across both modes:

KeyPrefixWhere to use it
Public Key (Test) flw_pub_test_ Browser / JavaScript — safe to expose. Passed to FlowPay.init()
Secret Key (Test) flw_sec_test_ Server-side only. Verifies transactions, accesses protected endpoints.
Public Key (Live) flw_pub_live_ Browser / JavaScript — for real payments in production
Secret Key (Live) flw_sec_live_ Server-side only. Never put in frontend code.
Webhook Secret whsec_ Server-side only. Verifies the X-Flowwithlit-Signature header on incoming webhook POSTs — see Receiving Webhooks. Shown as "Webhook Secret Hash" under the Webhooks section of your dashboard, not next to the API keys.

Using Your Secret Key

Pass the secret key as a Bearer token in the Authorization header:

$ch = curl_init('https://api.flowwithlit.com/v1/transaction/verify/' . $ref);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER     => [
        'Authorization: Bearer ' . getenv('FLW_SECRET_KEY'),
        'Content-Type: application/json',
    ],
]);
$response = json_decode(curl_exec($ch), true);
const res = await fetch('https://api.flowwithlit.com/v1/transaction/verify/' + ref, {
  headers: {
    'Authorization': `Bearer ${process.env.FLW_SECRET_KEY}`,
    'Content-Type':  'application/json',
  }
});
const data = await res.json();
curl https://api.flowwithlit.com/v1/transaction/verify/FLW_TXN_ABCD1234 \
  -H "Authorization: Bearer flw_sec_test_YOUR_KEY"

Storing Keys Securely

Always read keys from environment variables — never hardcode them in source files:

# .env  — NEVER commit this file to git
FLW_PUBLIC_KEY=flw_pub_test_xxxxxxxxxxxxxxxxxxxx
FLW_SECRET_KEY=flw_sec_test_xxxxxxxxxxxxxxxxxxxx
FLW_WEBHOOK_SECRET=whsec_xxxxxxxxxxxxxxxxxxxxxxxx
<?php
// Using vlucas/phpdotenv (composer require vlucas/phpdotenv)
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();

$secretKey = getenv('FLW_SECRET_KEY');

// OR without a library (PHP >= 8):
// $secretKey = $_ENV['FLW_SECRET_KEY'];
// npm install dotenv
require('dotenv').config();

const secretKey = process.env.FLW_SECRET_KEY;
const publicKey = process.env.FLW_PUBLIC_KEY;
import os
from dotenv import load_dotenv   # pip install python-dotenv

load_dotenv()

SECRET_KEY  = os.getenv('FLW_SECRET_KEY')
PUBLIC_KEY  = os.getenv('FLW_PUBLIC_KEY')
🚨
Add .env to your .gitignore file so it's never committed to version control. If you accidentally expose a secret key, rotate it immediately from your Developer API dashboard.

Key Rotation

You can rotate your API keys at any time from the Developer API dashboard → Rotate Keys. The old keys stop working immediately. Update your server's environment variables before rotating.