Publishable keys
Each client has two keys with different scopes:
| Key | Where it lives | Can do |
|---|---|---|
hm_test_โฆ / hm_live_โฆ | Server only โ never expose to browser | Create invoices, list, rotate, everything |
pk_test_โฆ / pk_live_โฆ | Browser โ safe to ship in JS bundles | Read invoices belonging to its client. Nothing else. |
The publishable key is scope-restricted on the server side. Even if someone scrapes it from your page source, they can only use it to read invoices that already exist for your client. They cannot create, list, or modify anything.
Find your publishable key in the dashboard under Clients. It's shown on every client card.
Never put the secret key in client code
The hm_* keys belong only on your server. They can create invoices, see every merchant-scoped resource, and rotate secrets. If you ship one to the browser (even accidentally in a Next.js NEXT_PUBLIC_* variable), rotate it immediately from Settings โ Rotate API key.