API Key Management
Your API key is the credential that authenticates your requests to the Lightning Enable API. This guide covers everything you need to know about API keys: how they work, where to find them, how to manage them, and security best practices.
Understanding API Keys
What Is Your API Key?
Your Lightning Enable API key is a unique, randomly-generated credential that:
- Identifies your merchant account to the Lightning Enable API
- Authenticates all your API requests via the
X-API-Keyheader - Provides access to create invoices, check payment status, and manage your integration
Example API key format:
FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc=
API Key vs OpenNode API Key
You have two different keys - don't confuse them:
| Key | Purpose | Source | Used By |
|---|---|---|---|
| Lightning Enable API Key | Authenticate to Lightning Enable | Generated at signup | Your application → Lightning Enable |
| OpenNode API Key | Connect Lightning Enable to OpenNode | From OpenNode dashboard | Lightning Enable → OpenNode |
Your App Lightning Enable OpenNode
│ │ │
│ X-API-Key: abc123... │ │
├─────────────────────────────►│ │
│ (Lightning Enable API Key) │ │
│ │ Authorization: xyz789... │
│ ├─────────────────────────►│
│ │ (OpenNode API Key) │
Getting Your API Key
At Signup
When you complete your subscription checkout:
- Stripe processes your payment
- Lightning Enable generates your API key
- Success page displays your key with copy button
- Welcome email contains your key as a backup
Save Your Key Immediately
The success page is the primary place to copy your key. Save it to a secure location (password manager, environment variables, secret manager) before navigating away.
Welcome Email
Your welcome email includes your API key:
Subject: Welcome to Lightning Enable!
Your Lightning Enable API key:
┌──────────────────────────────────────────────┐
│ FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc= │
└──────────────────────────────────────────────┘
Save this key securely - you'll need it to authenticate API requests.
Key Management Dashboard
Access your key anytime at: https://api.lightningenable.com/Dashboard/Keys
The dashboard allows you to:
- View your current API key (masked by default)
- Reveal your full key with one click
- Regenerate your key if needed
- See when your key was last changed
Using Your API Key
In API Requests
Include your API key in the X-API-Key header:
curl -X POST https://api.lightningenable.com/api/payments \
-H "Content-Type: application/json" \
-H "X-API-Key: YOUR_API_KEY_HERE" \
-d '{
"amount": 10.00,
"currency": "USD",
"description": "Product purchase"
}'
In Application Code
.NET / C#
var client = new HttpClient();
client.DefaultRequestHeaders.Add("X-API-Key", Environment.GetEnvironmentVariable("LIGHTNING_ENABLE_API_KEY"));
var response = await client.PostAsync("https://api.lightningenable.com/api/payments", content);
Node.js / JavaScript
const response = await fetch('https://api.lightningenable.com/api/payments', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-API-Key': process.env.LIGHTNING_ENABLE_API_KEY
},
body: JSON.stringify({ amount: 10.00, currency: 'USD' })
});
Python
import os
import requests
response = requests.post(
'https://api.lightningenable.com/api/payments',
headers={
'Content-Type': 'application/json',
'X-API-Key': os.environ['LIGHTNING_ENABLE_API_KEY']
},
json={'amount': 10.00, 'currency': 'USD'}
)
Managing Your API Key
Viewing Your Key
- Go to https://api.lightningenable.com/Dashboard/Keys
- Authenticate with your current API key
- Click "Reveal Key" to show the full key
- Click "Copy" to copy to clipboard
Regenerating Your Key
If your key is compromised or you want to rotate it for security:
- Go to https://api.lightningenable.com/Dashboard/Keys
- Click "Regenerate Key"
- Confirm the action in the dialog
- Copy your new key immediately
- Update all your applications with the new key
Key Regeneration is Immediate and Irreversible
- Your old key is invalidated instantly
- Any application using the old key will receive
401 Unauthorized - You cannot recover the old key
- Plan your key rotation carefully to minimize downtime
Key Rotation Best Practices
For production systems, follow this rotation procedure:
- Prepare - Have your deployment process ready
- Regenerate - Get the new key from the dashboard
- Update secrets - Deploy new key to all environments
- Verify - Test API calls with new key
- Monitor - Watch for any failed authentications
# Example: Updating Azure App Service
az webapp config appsettings set \
--name your-app \
--resource-group your-rg \
--settings "LIGHTNING_ENABLE_API_KEY=your-new-key"
Security Best Practices
Do's
| Practice | Why |
|---|---|
| Store in environment variables | Keeps keys out of code |
| Use a secret manager | Centralized, audited secret storage |
| Rotate keys periodically | Limits exposure if compromised |
| Use different keys per environment | Isolates dev/staging/prod |
| Monitor for unauthorized use | Detect compromises early |
Don'ts
| Anti-Pattern | Risk |
|---|---|
| Hardcode in source code | Keys in git history forever |
| Commit to version control | Public exposure |
| Share via email/chat | Keys in searchable logs |
| Log API keys | Exposure in log aggregators |
| Use same key everywhere | Blast radius if compromised |
Environment Variable Examples
Linux/macOS:
export LIGHTNING_ENABLE_API_KEY="FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc="
Windows PowerShell:
$env:LIGHTNING_ENABLE_API_KEY = "FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc="
Docker:
ENV LIGHTNING_ENABLE_API_KEY=${LIGHTNING_ENABLE_API_KEY}
.env file (local development only):
LIGHTNING_ENABLE_API_KEY=FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc=
Never Commit .env Files
Add .env to your .gitignore file.
Secret Managers
For production, use a proper secret manager:
| Platform | Service |
|---|---|
| Azure | Key Vault |
| AWS | Secrets Manager |
| Google Cloud | Secret Manager |
| Kubernetes | Secrets |
| HashiCorp | Vault |
Azure Key Vault Example:
# Store secret
az keyvault secret set \
--vault-name your-vault \
--name "LightningEnableApiKey" \
--value "FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc="
# Retrieve in app
var secret = await secretClient.GetSecretAsync("LightningEnableApiKey");
var apiKey = secret.Value.Value;
Troubleshooting
"API key required"
{"error": "API key required", "message": "Please provide API key in X-API-Key header"}
Cause: Missing X-API-Key header
Fix: Add the header to your request:
-H "X-API-Key: YOUR_KEY_HERE"
"Invalid API key"
{"error": "Invalid API key", "message": "The provided API key is invalid or inactive"}
Causes:
- Key was regenerated (old key no longer valid)
- Typo in the key
- Key from wrong environment (dev vs prod)
- Subscription expired or canceled
Fix:
- Check you're using the correct, current key
- Verify your subscription status
- Regenerate a new key if needed
"Subscription inactive"
{"error": "Subscription inactive", "message": "Your subscription is not active"}
Cause: Stripe subscription is past_due, canceled, or expired
Fix:
- Check your Stripe subscription status
- Update payment method if needed
- Contact support if issue persists
API Key Lifecycle
┌─────────────────────────────────────────────────────────────────┐
│ API Key Lifecycle │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ SIGNUP │───►│ ACTIVE │───►│ REGENERATE│───►│ ACTIVE │ │
│ │ │ │ │ │ │ │ (new key) │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │ │ │ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ Key shown on Key used for Old key New key │
│ success page all API calls invalidated now active │
│ + welcome email immediately │
│ │
└─────────────────────────────────────────────────────────────────┘
Related Documentation
- Getting Started - Initial setup guide
- API Reference - Authentication details
- OpenNode Setup - Configuring your OpenNode key
- Webhooks - Securing webhook endpoints
FAQ
Can I have multiple API keys?
Currently, each merchant account has one API key. If you need separate keys for different environments, consider separate subscriptions for dev/staging/prod.
How long is an API key valid?
API keys don't expire based on time. They remain valid until:
- You regenerate the key
- Your subscription is canceled
- Your account is deactivated
Can I see my old API key?
No. When you regenerate, the old key is permanently invalidated and cannot be retrieved. This is a security feature.
What if I lose my API key?
- Log into the Key Management Dashboard
- Regenerate a new key
- Update all your applications
Is the API key transmitted securely?
Yes. All API requests must use HTTPS, encrypting the key in transit. The key is stored encrypted at rest in our database.