API Key Management

Your API key is the credential that authenticates your requests to the Lightning Enable API. This guide covers everything you need to know about API keys: how they work, where to find them, how to manage them, and security best practices.

Understanding API Keys

What Is Your API Key?

Your Lightning Enable API key is a unique, randomly-generated credential that:

• Identifies your merchant account to the Lightning Enable API
• Authenticates all your API requests via the X-API-Key header
• Provides access to create invoices, check payment status, and manage your integration

Example API key format:
FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc=

API Key vs Provider API Key

You have two different keys - don't confuse them:

Key	Purpose	Source	Used By
Lightning Enable API Key	Authenticate to Lightning Enable	Generated at signup	Your application → Lightning Enable
Provider API Key (Strike or OpenNode)	Connect Lightning Enable to your payment provider	From your provider dashboard	Lightning Enable → Strike or OpenNode

Your App                    Lightning Enable         Strike or OpenNode
   │                              │                          │
   │  X-API-Key: abc123...        │                          │
   ├─────────────────────────────►│                          │
   │  (Lightning Enable API Key)  │                          │
   │                              │  Authorization: xyz789... │
   │                              ├─────────────────────────►│
   │                              │  (Provider API Key)       │

Getting Your API Key

At Signup

When you complete your subscription checkout:

1. Stripe processes your payment
2. Lightning Enable generates your API key
3. Success page displays your key with copy button
4. Welcome email contains your key as a backup

Save Your Key Immediately

The success page is the primary place to copy your key. Save it to a secure location (password manager, environment variables, secret manager) before navigating away.

Welcome Email

Your welcome email includes your API key:

Subject: Welcome to Lightning Enable!

Your Lightning Enable API key:
┌──────────────────────────────────────────────┐
│  FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc=  │
└──────────────────────────────────────────────┘

Save this key securely - you'll need it to authenticate API requests.

Key Management Dashboard

Access your key anytime at: https://api.lightningenable.com/Dashboard/Keys

The dashboard allows you to:

• View your current API key (masked by default)
• Reveal your full key with one click
• Regenerate your key if needed
• See when your key was last changed

Using Your API Key

In API Requests

Include your API key in the X-API-Key header:

curl -X POST https://api.lightningenable.com/api/payments \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_API_KEY_HERE" \
  -d '{
    "amount": 10.00,
    "currency": "USD",
    "description": "Product purchase"
  }'

In Application Code

.NET / C#

var client = new HttpClient();
client.DefaultRequestHeaders.Add("X-API-Key", Environment.GetEnvironmentVariable("LIGHTNING_ENABLE_API_KEY"));

var response = await client.PostAsync("https://api.lightningenable.com/api/payments", content);

Node.js / JavaScript

const response = await fetch('https://api.lightningenable.com/api/payments', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': process.env.LIGHTNING_ENABLE_API_KEY
  },
  body: JSON.stringify({ amount: 10.00, currency: 'USD' })
});

Python

import os
import requests

response = requests.post(
    'https://api.lightningenable.com/api/payments',
    headers={
        'Content-Type': 'application/json',
        'X-API-Key': os.environ['LIGHTNING_ENABLE_API_KEY']
    },
    json={'amount': 10.00, 'currency': 'USD'}
)

Managing Your API Key

Viewing Your Key

1. Go to https://api.lightningenable.com/Dashboard/Keys
2. Authenticate with your current API key
3. Click "Reveal Key" to show the full key
4. Click "Copy" to copy to clipboard

Regenerating Your Key

If your key is compromised or you want to rotate it for security:

1. Go to https://api.lightningenable.com/Dashboard/Keys
2. Click "Regenerate Key"
3. Confirm the action in the dialog
4. Copy your new key immediately
5. Update all your applications with the new key

Key Regeneration is Immediate and Irreversible

• Your old key is invalidated instantly
• Any application using the old key will receive 401 Unauthorized
• You cannot recover the old key
• Plan your key rotation carefully to minimize downtime

Key Rotation Best Practices

For production systems, follow this rotation procedure:

1. Prepare - Have your deployment process ready
2. Regenerate - Get the new key from the dashboard
3. Update secrets - Deploy new key to all environments
4. Verify - Test API calls with new key
5. Monitor - Watch for any failed authentications

# Example: Updating Azure App Service
az webapp config appsettings set \
  --name your-app \
  --resource-group your-rg \
  --settings "LIGHTNING_ENABLE_API_KEY=your-new-key"

Security Best Practices

Do's

Practice	Why
Store in environment variables	Keeps keys out of code
Use a secret manager	Centralized, audited secret storage
Rotate keys periodically	Limits exposure if compromised
Use different keys per environment	Isolates dev/staging/prod
Monitor for unauthorized use	Detect compromises early

Don'ts

Anti-Pattern	Risk
Hardcode in source code	Keys in git history forever
Commit to version control	Public exposure
Share via email/chat	Keys in searchable logs
Log API keys	Exposure in log aggregators
Use same key everywhere	Blast radius if compromised

Environment Variable Examples

Linux/macOS:

export LIGHTNING_ENABLE_API_KEY="FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc="

Windows PowerShell:

$env:LIGHTNING_ENABLE_API_KEY = "FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc="

Docker:

ENV LIGHTNING_ENABLE_API_KEY=${LIGHTNING_ENABLE_API_KEY}

.env file (local development only):

LIGHTNING_ENABLE_API_KEY=FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc=

Never Commit .env Files

Add .env to your .gitignore file.

Secret Managers

For production, use a proper secret manager:

Platform	Service
Azure	Key Vault
AWS	Secrets Manager
Google Cloud	Secret Manager
Kubernetes	Secrets
HashiCorp	Vault

Azure Key Vault Example:

# Store secret
az keyvault secret set \
  --vault-name your-vault \
  --name "LightningEnableApiKey" \
  --value "FwZ7CQh+733nQgKNwOJj3gT1r0eQBJvHPMH/HHRhhkc="

# Retrieve in app
var secret = await secretClient.GetSecretAsync("LightningEnableApiKey");
var apiKey = secret.Value.Value;

Troubleshooting

"API key required"

{"error": "API key required", "message": "Please provide API key in X-API-Key header"}

Cause: Missing X-API-Key header

Fix: Add the header to your request:

-H "X-API-Key: YOUR_KEY_HERE"

"Invalid API key"

{"error": "Invalid API key", "message": "The provided API key is invalid or inactive"}

Causes:

• Key was regenerated (old key no longer valid)
• Typo in the key
• Key from wrong environment (dev vs prod)
• Subscription expired or canceled

Fix:

1. Check you're using the correct, current key
2. Verify your subscription status
3. Regenerate a new key if needed

"Subscription inactive"

{"error": "Subscription inactive", "message": "Your subscription is not active"}

Cause: Stripe subscription is past_due, canceled, or expired

Fix:

1. Check your Stripe subscription status
2. Update payment method if needed
3. Contact support if issue persists

API Key Lifecycle

┌─────────────────────────────────────────────────────────────────┐
│                        API Key Lifecycle                         │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐  │
│  │  SIGNUP  │───►│  ACTIVE  │───►│ REGENERATE│───►│  ACTIVE  │  │
│  │          │    │          │    │          │    │ (new key) │  │
│  └──────────┘    └──────────┘    └──────────┘    └──────────┘  │
│       │               │                               │         │
│       │               │                               │         │
│       ▼               ▼                               ▼         │
│  Key shown on    Key used for     Old key          New key     │
│  success page    all API calls    invalidated      now active   │
│  + welcome email                  immediately                   │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Related Documentation

• Getting Started - Initial setup guide
• API Reference - Authentication details
• Payment Provider Setup - Configuring your provider API key
• Webhooks - Securing webhook endpoints

FAQ

Can I have multiple API keys?

Currently, each merchant account has one API key. If you need separate keys for different environments, consider separate subscriptions for dev/staging/prod.

How long is an API key valid?

API keys don't expire based on time. They remain valid until:

• You regenerate the key
• Your subscription is canceled
• Your account is deactivated

Can I see my old API key?

No. When you regenerate, the old key is permanently invalidated and cannot be retrieved. This is a security feature.

What if I lose my API key?

1. Log into the Key Management Dashboard
2. Regenerate a new key
3. Update all your applications

Is the API key transmitted securely?

Yes. All API requests must use HTTPS, encrypting the key in transit. The key is stored encrypted at rest in our database.