2. Get Credentials

Onboarding2. &Get PartnershipCredentials

Get Credentials

ToThis ~~use~~page ~~the~~explains ~~Partner~~how you get access, what credentials mean, and what still has to be approved before rewards can be issued.

Sandbox vs production

Environment Purpose What you can do Sandbox Build and test your integration Create keys, make signed API ~~you~~calls, ~~must~~test bedonation anlinks, ~~approved~~test ~~partner~~.reward ~~The~~flows ~~Partner~~if ~~API~~a sandbox token pool is ~~not~~provisioned ~~self-serve~~ —~~there~~Production isIssue noreal ~~public~~rewards ~~sign-up~~Requires ~~endpoint.~~approval, ~~Access~~production iscredentials, ~~granted~~and bya production token pool

Self-service credentials

If you have a SIR Giving ~~administrators~~account ~~after~~with access to partner keys, creating your first API key automatically creates a ~~partnership~~Partner ~~review.~~record linked to your user.

Use:

POST /v1/partner/keys
Authorization: Bearer <your user JWT>
Content-Type: application/json

{
  "name": "Sandbox Integration",
  "environment": "sandbox",
  "keyType": "secret"
}

The response includes:

{
  "id": "key_...",
  "partnerId": "...",
  "name": "Sandbox Integration",
  "environment": "sandbox",
  "publicKey": "pk_test_...",
  "secretKey": "sk_test_...",
  "hmacSecret": "64-character-hex-string"
}

Store secretKey and hmacSecret immediately. They are not shown again.

WhyProduction approval

Production rewards require approval isbecause ~~required~~SIR

~~Two~~tokens ~~reasons:~~

have

real ~~Token~~value ~~pool~~and ~~funding.~~ ~~Every~~every reward ~~you issue~~ draws from a token ~~pool~~pool. ~~that~~

Before production launch, SIR Giving ~~allocates to you. We need to size the pool to your expected volume and lock in restrictions (vesting, expiration, redemption rules) before you start issuing.~~

~~Compliance and trust.~~ ~~SIR tokens are redeemable for real value. Every approved partner is contractually bound to acceptable-use terms and provides KYB/identity verification.~~

Approval workflow

Partner Inquiry
     │
     ▼
Sales / Business Review ──── (reject)
     │ approved
     ▼
Contract & Compliance signed
     │
     ▼
Admin creates Partner record (status: PENDING_APPROVAL)
     │
     ▼
Admin generates API key pair  (POST /api/v1/admin/partners/:id/keys)
     │
     ▼
Admin allocates initial token pool
     │
     ▼
Partner status set to ACTIVE  ─── you can now call the API
     │
     ▼
Sandbox testing → Production cutover

What we need from you to start

needs:

Item	~~Purpose~~Why it matters
Partner name &and legal entity	Account and compliance record
Contact email	Operational ~~notifications,~~alerts and key expiry ~~alerts~~notices
Use case summary	~~Sizing~~Confirms acceptable use and token ~~pool, identifying required stakeholder types~~

~~Integration model~~ ~~Server-to-server only / widget-only / both~~economics Expected monthly action volume ~~Rate~~Sets ~~limit~~rate ~~tier~~limits ~~(Standard~~and /token ~~Professional~~pool ~~/ Enterprise)~~size Action types ~~you'll~~Confirms what events you will submit WeStakeholder ~~register~~model stakeholderTypeCodeConfirms ~~values~~who ~~you'll~~receives ~~use~~rewards Webhook ~~endpoint~~ URL ~~(optional at start)~~ ~~We'll~~Lets ~~register~~SIR ~~this~~Giving ~~for~~send ~~you~~reward lifecycle ~~IP allowlist (optional)~~ ~~Restricts where keys are valid~~events

What

After weapproval, ~~provide~~SIR ~~back~~Giving provides or enables:

~~Partner~~Production IDAPI ~~— Mongo ObjectId, used in admin URLs.~~credentials.
~~Partner~~A ~~slug~~production —token ~~short string used in some responses.~~pool.
~~One API key pair~~:
~~Publishable key:~~ pk_test_<64hex> ~~(sandbox)~~Campaign or pk_live_<64hex>reward ~~(prod)~~rules, if needed.
~~Secret~~Production ~~key:~~webhook sk_test_<64hex> or sk_live_<64hex>

~~HMAC signing secret: 64-char hex string~~configuration.

What

~~Token pool~~ ~~with allocated balance you can draw from.~~ ~~Default campaign~~ ~~(optional) defining split rules for your common action types.~~

~~The secret key and HMAC secret are returned once, in the response body when the~~each key is ~~generated. They are never retrievable again.~~ ~~If lost, an admin must rotate the key — your old key will continue to work until revoked, allowing zero-downtime rotation.~~

API key types — pk vs skfor

~~Property~~Key	~~Publishable~~Where (`pk_`)it belongs	~~Secret~~Use (`sk_`)it for
~~Where~~`pk_test_...` itor ~~lives~~`pk_live_...`	~~Browser,~~Browser or mobile ~~app, HTML~~app	~~Server~~Donation ~~only~~links, public config, organization lookup
~~Auth~~`sk_test_...` ~~headers~~or ~~needed~~`sk_live_...`	`X-Partner-Key`Backend only	`X-Partner-Key`Users, +actions, `X-Timestamp`campaigns, +token `X-Signature`pools, webhooks, dashboard data
~~What it can do~~`hmacSecret`	~~Read~~Backend ~~public~~secret ~~partner config, look up nonprofit by slug, create donation links~~manager	~~All~~Signing ofserver-to-server ~~the above + submit actions, manage users/webhooks/campaigns, view transactions~~

~~If leaked~~ ~~Low blast radius (rate-limited, scoped)~~ ~~High — rotate immediately~~requests

Check your partner record

~~The~~After creating a key, verify your Partner record:

@RequiresSecretKey()GET /v1/partner/keys/partner-info
Authorization: Bearer <your user JWT>

~~decorator~~

You ~~marks~~should ~~endpoints~~see ~~(e.g.~~your ~~action~~partner ~~submission,~~ID, ~~webhook~~name, ~~registration,~~slug, ~~action~~status, ~~reversal)~~enabled ~~that~~features, ~~reject~~and rate limit.

Check your keys

pk_GET /v1/partner/keys
Authorization: Bearer <your user JWT>

This lists keys ~~with~~ ~~403 Forbidden~~.

Environments

live ~~keys talk to~~ api.sirgiving.org. test ~~keys talk to~~ devapi.sirgiving.org~~. The HMAC guard~~but does not ~~enforce~~return ~~environment~~secret ~~matching~~values.

Go-live checklist

Before switching to production:

You have a pk_live_... and sk_live_... key. Your backend signs requests with the ~~network~~production ~~layer~~hmacSecret. —You have an active production token pool. Your webhook endpoint is reachable from the ~~key~~public ~~prefix~~internet. ~~tells~~Your uswebhook ~~which~~handler ~~dataset~~verifies toX-SIR-Signature. ~~operate~~Your ~~against.~~action ~~Always~~requests ~~test~~use ~~against~~stable, ~~the~~unique ~~sandbox~~idempotencyKey ~~first.~~values.

Partner

You ~~tiers~~have tested retries and rate ~~limits~~limit

~~Your tier is set by an admin based on contract terms:~~

~~Tier~~ ~~Hourly~~ ~~Burst (per minute)~~ ~~Standard~~ ~~1,000~~ ~~100~~ ~~Professional~~ ~~5,000~~ ~~500~~ ~~Enterprise~~ ~~20,000~~ ~~2,000~~

~~Headers on every response:~~

X-RateLimit-Limit ~~— your hourly cap~~ X-RateLimit-Remaining ~~— requests left in window~~ X-RateLimit-Reset ~~— unix timestamp when window resets~~ X-RateLimit-RetryAfter ~~(only on 429) — seconds to wait~~handling.

Partner statuses

PENDING_APPROVAL ~~— record created but cannot call API.~~ ACTIVE ~~— full access.~~ SUSPENDED ~~— all calls return 401~~ PARTNER_SUSPENDED~~. Reach out to support.~~ ~~Other non-~~ACTIVE ~~states return 401~~ PARTNER_NOT_ACTIVE.

~~The~~ partner.status_changed ~~webhook fires whenever your status transitions.~~

Key rotation & revocation

~~Admins can:~~

~~Rotate~~: POST /api/v1/admin/partners/:id/keys/:keyId/rotate ~~issues a brand-new pair with the same scopes; the old pair stays active until you explicitly revoke it.~~ ~~Revoke~~: DELETE /api/v1/admin/partners/:id/keys/:keyId ~~deactivates immediately.~~

~~The~~ api_key.expiring ~~webhook fires before a key reaches its~~ expiresAt.