Docs Navigationexpand_more

Dev Platform

Dev Platform: API Keys & Environments

Separate API credentials by environment, wire secrets safely, and rotate keys without downtime.

API Keys by Environment

Use separate API credentials for local development, staging, and production. This prevents accidental cross-environment transactions and makes revocation safer if a key is exposed.

Create keys in the API Keys console and name them clearly, for example:

myapp-local-api
myapp-staging-api
myapp-production-api

Secret Storage and Config

Never hardcode client secrets. Store credentials in environment variables or a managed secrets system and inject them at runtime.

# .env.local
ONESHOT_CLIENT_ID=local_client_id
ONESHOT_CLIENT_SECRET=local_client_secret
ONESHOT_BUSINESS_ID=local_business_id

# .env.staging
ONESHOT_CLIENT_ID=staging_client_id
ONESHOT_CLIENT_SECRET=staging_client_secret
ONESHOT_BUSINESS_ID=staging_business_id

# .env.production
ONESHOT_CLIENT_ID=prod_client_id
ONESHOT_CLIENT_SECRET=prod_client_secret
ONESHOT_BUSINESS_ID=prod_business_id

Add secret files to git ignore and keep production credentials in your deployment platform secret manager.

Generate Tokens Server-Side

Mint bearer tokens from your backend using client credentials. Avoid exposing API client secrets in browser code.

import axios from "axios";

export async function getOneShotAccessToken() {
  const response = await axios.post(
    "https://api.1shotapi.com/v0/token",
    {
      grant_type: "client_credentials",
      client_id: process.env.ONESHOT_CLIENT_ID,
      client_secret: process.env.ONESHOT_CLIENT_SECRET,
    },
    { headers: { "Content-Type": "application/json" } },
  );

  return response.data.access_token as string;
}

Access tokens expire after one hour, so refresh when expired or when the API returns an authentication failure.

Example Calls with Environment Variables

Use environment variables in scripts and CI jobs to avoid embedding secrets directly in commands.

# 1) Generate a bearer token
TOKEN=$(curl -s -X POST https://api.1shotapi.com/v0/token \
  -H "Content-Type: application/json" \
  -d "{\"grant_type\":\"client_credentials\",\"client_id\":\"$ONESHOT_CLIENT_ID\",\"client_secret\":\"$ONESHOT_CLIENT_SECRET\"}" \
  | jq -r .access_token)

# 2) List contract methods for the current environment
curl -X GET "https://api.1shotapi.com/v0/business/$ONESHOT_BUSINESS_ID/methods" \
  -H "Authorization: Bearer $TOKEN" | jq .

Rotation and Revocation Workflow

  1. Create a new key for the same environment and service.
  2. Deploy with both old and new credentials supported during cutover.
  3. Verify token minting and transaction execution with the new key.
  4. Delete the old key once all workloads are using the new one.

Deleted keys are permanently deactivated, so only remove old keys after rollout checks pass.