Can I put a PRAMAAN API key in frontend code?

No. Use your backend as the caller and expose only your own scoped endpoint to the browser or app.

How often should keys rotate?

Rotate on access changes, suspected exposure, environment migration, and at least as part of a regular security calendar.

Are sandbox and production keys interchangeable?

No. Sandbox keys use fixture behavior and must not be used as evidence that production consent and billing are live.

API keys FAQ — PRAMAAN Help Center

Overview

API keys are server-side credentials. They should never be embedded in mobile apps, browser JavaScript, public GitHub repos, screenshots, tickets, or chat messages.

What to do

Step 1: Use separate keys for sandbox and production.

Step 2: Store keys in your server secret manager, not in source code.

Step 3: Rotate keys when a teammate leaves, a vendor changes, or a secret may have leaked.

bash

Server-side key usage

curl https://api.pramaan.online/v1/health \
  -H "Authorization: Bearer $PRAMAAN_API_KEY"

Frequently asked questions

Next step

Move safely from answer to action.

Store the key server-side and verify it from a backend environment before connecting any user-facing workflow.

Ask PRAMAAN Talk to a human

Was this helpful?

API keys FAQ