Projects & API Keys

Once you create a Picket account, you can view your account dashboard. To start developing with Picket, you'll need to create a project. You can think of a project as an application that you are going to use with Picket. Every account is created with an initial project, named My First Project, to help you get started!

API Keys

Each project comes with a set of API keys that you must use to authorize your requests when interacting with the Picket API. Request without an API key will result in an error.

There are two types of API keys

  • Publishable keys: These keys are used client-side and are meant for client-side libraries, like picket-js.

  • Secret keys: As the name suggests, these must be kept secret. They are meant for server-side libraries, like picket-node

Authorization to the API is performed via HTTP Basic Auth. Provide your API key as the basic auth username. You do not need to provide a password. API Authorization is handled for you in any of Picket's SDKs.


Redirect URIs

Each project also has an associated list of whitelisted redirect URIs. Redirect URIs are part of the OAuth 2.0 standard and are validated as part of the client-side auth flow.

Redirect URIs ensure that only your project (aka "client" or "application") can use the project's publishable key to authorize users. If you are testing out Picket locally at http://localhost:3000/, you can add http://localhost:3000/ as a redirect URI to your project.

Notice the training slash in http://localhost:3000/.Trailing slashes matter in redirect URIs. If you want to ignore trailing slashes, add both http://localhost:3000 and http://localhost:3000 to the project redirect URIs.

Only use trusted domains for production projects! Do not allow http://localhost:3000 for a production application.

Last updated