API Credentials Overview
When you register for a Spreedly Organization, you’ll receive an organization key. While this key does not allow you to make transactions via the API, it enables you to create the Spreedly environments where you will process transactions.
After setting up your Spreedly Organization, the next step is to create your API credentials. These include the environment key (non-sensitive information) and single-environment access secret (sensitive information - keep this secure and never share it, even with Spreedly). These credentials are required to authenticate your API calls. By the end of this module, you'll understand:
- You will have an environment key (non-sensitive information)
- You will have an access secret (sensitive information)
- You will understand how to add additional users (optional, but highly recommended)
Environments
In Spreedly, your payment data is organized into environments. Each environment is represented by an environment key, which is provided when you create an environment. You can also assign a name to the environment, such as “Testing” or “Production”.
Although you can use a single environment for both test and production traffic, we strongly recommend creating at least two separate environments—one for testing and one for production. This separation helps keep your test data distinct from your production data, making reporting and analysis easier.
You can create additional environments directly from the Spreedly App at app.spreedly.com. After logging in, click the Environment section in the side menu and select “Create new environment”. Then, you can:
- Enter a name for your environment
- Choose a payment method submission option (iFrame or Spreedly Express is recommended)
- Enable enhanced security
- Click “Save changes” to finalize the creation of the environment
Access Secrets
Once you’ve set up an environment, you will need to create an access secret to authenticate your API calls.
There are two types of access secrets:
-
Organization Access Secret – This secret is used to authenticate any API call within your entire organization. It’s created when you register for your Spreedly account. While useful, it is more secure to use a single-environment access secret for each specific environment.
-
Single-Environment Access Secret – This secret is specific to an individual environment and enhances security by ensuring API calls are only authenticated for the intended environment.
To create a single-environment access secret:
- In the Spreedly App, go to the Environment section in the side menu.
- Select “Access secrets” and click the “Add access secret” button.
- Store the access secret securely, as it will not be viewable once you navigate away from the page.
Now, with both the environment key and access secret, you can authenticate API requests. Spreedly uses HTTP Basic Authentication for API calls.
Other Credentials
In addition to the credentials needed for accessing Spreedly itself, you may need additional credentials to send payment data to external parties, such as a gateway processor. If you don’t already have these sandbox and production credentials, we recommend acquiring them directly from the respective providers. You will need these credentials to interact with external endpoints.
Adding Users
You may want to add users to your Spreedly Organization to allow them access to the app. To add a new user:
- Click the name of your Organization at the bottom of the side menu.
- Select “Organization users” and click the “Add user” button.
You can also configure Role-Based Access Controls (RBAC) for added security. RBAC allows you to assign specific roles to users, ensuring they only have access to the data and features they need. This helps improve security, promotes a separation of duties, and makes the experience more user-friendly for both business and technical users by limiting their scope of access.
Module Completion
You have completed Module 1 if you have:
- You have an environment key
- You have an access secret
- You have added a user (optional, but highly recommended)