Authentication

HelaMesh exposes two distinct authentication surfaces:

Surface	Used by	Header
API key	Your backend → HelaMesh API	`x-api-key: hm_test_…` / `hm_live_…`
Session cookie	Browser → HelaMesh dashboard	`Cookie: hm_session=…` (httpOnly)

You only need API keys to integrate. Generate one when you create a client in the dashboard. Keys are SHA-256 hashed at rest and shown exactly once at creation — store them in your secrets manager.

Keep your secret key server-side

Treat API keys like passwords. Never commit them. Never ship them in client-side bundles. If a key leaks, rotate it immediately from Settings → Rotate API key.

Two types of keys

For browser code that renders the checkout embed or the chain picker, HelaMesh also provides a publishable key (pk_test_* / pk_live_*). Publishable keys are scope-restricted to read-only invoice access and are safe to ship in browser bundles. See Publishable keys in the SDK section.

Rotating keys

From the dashboard Settings page for any client, you can rotate:

The secret API key — old key stops working instantly, new key shown once
The publishable key — browser integrations stop working until the new pk is deployed
The webhook signing secret — old secret stops validating incoming webhooks

All three rotations are instant. Plan deploys accordingly.

Two types of keys​

Rotating keys​

Two types of keys

Rotating keys