Keys and environments
Keep 0Gate publishable keys, secret keys, webhook secrets, sandbox mode, and live mode separated.
0Gate uses separate credentials for server, browser, and webhook verification. Keep those boundaries strict in every environment.
Credential model
| Credential | Shape | Lives | Use |
|---|---|---|---|
| Publishable key | pk_test_* or pk_live_* | Browser or mobile app | Embed bootstrap and hosted widget launch. |
| Secret key | sk_test_* or sk_live_* | Server only | Create, retrieve, list, cancel sessions and call privileged APIs. |
| Webhook signing secret | whsec_* | Server only | Verify inbound webhook signatures. |
| Embed token | Short-lived runtime token | Hosted 0Gate iframe | Runtime calls after bootstrap. |
Environment model
Use sandbox keys for development and test records. Use live keys only after the partner account, origins, webhooks, product configuration, and required approvals are ready.
Server configuration
GATE_KEY=sk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
WEBHOOK_SECRET=whsec_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
PUBLIC_GATE_PUBLISHABLE_KEY=pk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GATE_API_BASE_URL=https://gate-api-sandbox.0bit.appEnvironment variable names are examples. The important rule is which process can read the value. Your server can read GATE_KEY and WEBHOOK_SECRET; browser bundles should receive only the publishable key.
Rules
- Never send
sk_*to browser, mobile app, analytics, URLs, screenshots, or support tickets. - Never use live keys in local demos, automated tests, or public examples.
- Keep sandbox and live records separate in your database.
- Rotate credentials through the approved partner/account process.
- Treat production activation as account-specific; a successful sandbox flow is not proof of live availability.