Authentication
All Lightning Enable API requests require authentication using an API key.
API Key
Lightning Enable uses a single merchant API key for payment operations and merchant self-service endpoints. Include it in the X-API-Key header on every authenticated request.
Using Your API Key
Include your API key in the X-API-Key header:
curl -X GET https://api.lightningenable.com/api/payments/inv_123 \
-H "X-API-Key: le_merchant_abc123xyz..."
API Key Format
Lightning Enable API keys follow this format:
le_merchant_<random-characters>
Example:
le_merchant_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Obtaining Your API Key
When you subscribe to Lightning Enable:
- Complete the checkout process
- Your API key is displayed on the success page
- API key is also emailed to you
Enterprise customers needing multiple keys or custom onboarding should contact support@lightningenable.com.
API Key Security
Best Practices
- Never commit API keys to version control
# .gitignore
.env
appsettings.Development.json
- Use environment variables
export LIGHTNING_API_KEY="le_merchant_abc123..."
const apiKey = process.env.LIGHTNING_API_KEY;
- Rotate keys periodically
Request a new key and update your configuration.
- Use separate keys for development and production
Keep your production key secret by using testnet keys during development.
Storage Recommendations
| Environment | Recommendation |
|---|---|
| Development | .env file (gitignored) |
| CI/CD | Secret management (GitHub Secrets, etc.) |
| Production | Environment variables or secret manager |
Key Rotation
Request a new API key when:
- Key may have been compromised
- Employee with access leaves
- Periodic security rotation
Rotate via the Lightning Enable dashboard (Dashboard → Settings → API Keys → Regenerate). The old API key is immediately invalidated on regeneration — update your applications before rotating.
Error Responses
Missing API Key
HTTP/1.1 401 Unauthorized
{
"error": "Unauthorized",
"message": "API key is required. Include X-API-Key header."
}
Invalid API Key
HTTP/1.1 401 Unauthorized
{
"error": "Unauthorized",
"message": "Invalid API key"
}
Inactive Merchant
HTTP/1.1 403 Forbidden
{
"error": "Forbidden",
"message": "Merchant account is inactive"
}
Testing Authentication
First, verify the API is running by calling the public health endpoint (no authentication required):
curl https://api.lightningenable.com/health
Expected response:
{
"status": "Healthy",
"totalDuration": 42.15,
"checks": [
{
"name": "database",
"status": "Healthy",
"duration": 38.72,
"description": null,
"exception": null,
"tags": ["db", "sql"]
}
]
}
Then verify your API key works by calling an authenticated endpoint:
curl -X GET https://api.lightningenable.com/api/merchant/me \
-H "X-API-Key: le_merchant_abc123..."
A 200 response confirms your key is valid. A 401 means the key is invalid or missing.
Code Examples
JavaScript
const API_KEY = process.env.LIGHTNING_API_KEY;
async function makeRequest(endpoint) {
const response = await fetch(`https://api.lightningenable.com${endpoint}`, {
headers: {
'X-API-Key': API_KEY
}
});
if (response.status === 401) {
throw new Error('Invalid API key');
}
return response.json();
}
C# / .NET
public class LightningEnableClient
{
private readonly HttpClient _client;
public LightningEnableClient(IConfiguration config)
{
_client = new HttpClient
{
BaseAddress = new Uri("https://api.lightningenable.com")
};
_client.DefaultRequestHeaders.Add("X-API-Key", config["LightningApiKey"]);
}
public async Task<T> GetAsync<T>(string endpoint)
{
var response = await _client.GetAsync(endpoint);
response.EnsureSuccessStatusCode();
return await response.Content.ReadFromJsonAsync<T>();
}
}
Python
import os
import requests
API_KEY = os.environ.get('LIGHTNING_API_KEY')
BASE_URL = 'https://api.lightningenable.com'
def make_request(endpoint):
response = requests.get(
f'{BASE_URL}{endpoint}',
headers={'X-API-Key': API_KEY}
)
response.raise_for_status()
return response.json()
Next Steps
- Request Headers - Idempotency, correlation IDs, and API versioning
- Payments API - Create payments
- Webhooks - Payment notifications
- Errors - Error handling