Authentication
API key generation, rotation, scopes, and webhook signing secrets for the LostChurn API.
The LostChurn API uses API keys for authentication. Every request must include a valid API key in the Authorization header.
API Key Format
LostChurn API keys use a prefixed format that indicates the key type and environment:
| Prefix | Type | Environment |
|---|---|---|
lc_live_ | Secret key | Production |
lc_test_ | Secret key | Test / Sandbox |
lc_pub_ | Publishable key | Client-side (widgets) |
Secret keys (lc_live_ and lc_test_) grant access to the full API and must be kept confidential. Never expose them in client-side code, public repositories, or logs.
Publishable keys (lc_pub_) are safe to include in client-side code. They are used by widgets to check customer payment status. Publishable keys have read-only access scoped to individual customer lookups.
Using API Keys
Include your API key in the Authorization header with the Bearer scheme:
curl https://api.lostchurn.com/v1/payments \
-H "Authorization: Bearer lc_live_your_api_key"Do not pass API keys as query parameters. Query parameter authentication is not supported.
Generating API Keys
- In the LostChurn dashboard, go to Settings > API Keys.
- Click Create API Key.
- Enter a name for the key (e.g., "Backend Server", "CI Pipeline").
- Select the environment: Live or Test.
- Select the scopes you want to grant (see below).
- Click Create.
- Copy the key immediately -- it is only shown once.
API keys are displayed only once at creation time. If you lose a key, you must revoke it and create a new one. Store keys securely using environment variables or a secrets manager.
Scopes
API keys can be scoped to limit what operations they can perform. This follows the principle of least privilege -- grant only the permissions your integration needs.
| Scope | Permissions |
|---|---|
read | Read access to all resources (payments, customers, campaigns, analytics) |
write | Create and update resources (trigger retries, create campaigns, update customers) |
admin | Full access including key management, integration settings, and workspace configuration |
webhooks | Manage webhook endpoints and signing secrets |
analytics | Read access to analytics endpoints only |
Scope Combinations
You can assign multiple scopes to a single key:
| Use Case | Recommended Scopes |
|---|---|
| Dashboard integration (read-only) | read |
| Backend recovery automation | read, write |
| Analytics pipeline | analytics |
| Full API access | read, write, admin |
| Webhook management only | webhooks |
| CI/CD deployment | read, write, webhooks |
Checking Key Scopes
You can verify an API key's scopes by calling the identity endpoint:
curl https://api.lostchurn.com/v1/auth/me \
-H "Authorization: Bearer lc_live_your_api_key"Response:
{
"data": {
"key_id": "key_abc123",
"name": "Backend Server",
"environment": "live",
"scopes": ["read", "write"],
"created_at": "2025-01-15T10:30:00Z",
"last_used_at": "2025-03-08T14:22:00Z"
}
}Key Rotation
Rotate API keys regularly to limit exposure from potential leaks. LostChurn supports zero-downtime rotation:
- Go to Settings > API Keys.
- Click Rotate next to the key you want to replace.
- LostChurn generates a new key with the same name and scopes.
- Both the old and new key are valid for a grace period of 24 hours.
- Update your application to use the new key.
- After the grace period, the old key is automatically revoked.
You can also revoke the old key immediately by clicking Revoke Old Key if you have already updated all consumers.
Rotation Best Practices
| Practice | Recommendation |
|---|---|
| Rotation frequency | Every 90 days, or immediately if a key may have been compromised |
| Storage | Use environment variables or a secrets manager (e.g., AWS Secrets Manager, Vault) |
| Access logs | Review key usage in Settings > API Keys > Activity to detect anomalies |
| Scope reduction | When rotating, review whether the key still needs all its current scopes |
Revoking API Keys
To immediately invalidate an API key:
- Go to Settings > API Keys.
- Click Revoke next to the key.
- Confirm the revocation.
Revoked keys return 401 Unauthorized on all requests. Revocation is immediate and cannot be undone. If you revoke a key by mistake, create a new one with the same scopes.
Webhook Signing Secrets
Webhook signing secrets are separate from API keys. They are used to verify the authenticity of outbound webhook payloads that LostChurn sends to your application.
Generating a Webhook Signing Secret
- Go to Settings > Webhooks.
- Click Create Endpoint or edit an existing endpoint.
- The signing secret is generated automatically and displayed once.
- Copy the secret and store it in your application's configuration.
The signing secret starts with whsec_lc_ and is used to compute HMAC-SHA256 signatures on outbound webhook payloads. See Webhooks for verification details.
Rotating Webhook Signing Secrets
- Go to Settings > Webhooks and select the endpoint.
- Click Rotate Secret.
- Both secrets are valid for 24 hours.
- Update your application to verify against the new secret.
- The old secret is revoked after the grace period.
Test vs. Live Keys
Test keys (lc_test_) operate in a sandbox environment:
| Aspect | Test Keys | Live Keys |
|---|---|---|
| Payment retries | Simulated (no real charges) | Real charges via your PSP |
| Webhook events | Test events only | Production events |
| Rate limits | Same as your plan | Same as your plan |
| Data isolation | Separate from live data | Production data |
| Analytics | Separate test analytics | Production analytics |
Use test keys for development, staging environments, and CI pipelines. Switch to live keys when deploying to production.
Next Steps
- API Overview -- base URL, request format, and error handling
- Webhooks -- outbound webhook events and signature verification
- Payments -- query and retry failed payments