Connect
Connect is where developers register Applications. Each Application gets its own API Key and Public Key, which your code uses to authenticate against the platform's APIs. URL: /connect/applications.
"You can build your own applications on top our platform. Add a new application to get an API Key and have a look at the API documentation to start building."
The model is: one Application per integration. If you have a backend service plus a separate reconciliation script, register two Applications — that way each can be rotated or revoked independently.
Add a new Application
Click + Add new App at the top right of the Applications list.
Walk through and capture: every field shown (Name, Currency, Application domain, App type — see options observed below), validation rules, what's editable later vs. fixed, and what happens immediately after Save (does it show creds once and only once, or always?).
Application detail
Once an Application exists, its detail panel shows the following fields:
| Field | What it is | Editable |
|---|---|---|
| Name | Human-readable label for the integration. | yes (TBD confirm) |
| Currency | The currency this Application transacts in (e.g., EUR). | TBD |
| Application domain | The domain you'll call from / host on (e.g., https://your-service.com). | TBD |
| Application ID | Stable UUID identifying the App (e.g., 6ddd096d-…). Copy button alongside. | no |
| App type | Observed: API. Other types may exist (e.g., for client-side / mobile apps). | TBD |
| API Key (secret) | A long signed token. Server-side only — never embed in a browser, mobile app, or commit to source control. Copy button alongside. | rotate via Delete + recreate (TBD) |
| Public Key (public) | Prefixed pk_development_ (or pk_live_ in production, presumably). Safe to ship to clients. Copy button alongside. | rotate via Delete + recreate (TBD) |
A Delete App action sits at the top of the detail.
The API Key shown on this page is a JWT. It grants programmatic access to the merchant account on its behalf. If you see it in a screenshot, source-control commit, log, or chat message, rotate it immediately by deleting the App and creating a new one.
There's no separate "rotate" button observed — recreation is the rotation path. Roll the new key out everywhere it's used, then delete the old App.
- Is there a separate "Rotate key" affordance I missed?
- Does deleting an App immediately invalidate its keys, or is there a grace period?
- Is there a "Last used" indicator for the keys?
API Key vs. Public Key
| Key | Where it goes | Use cases |
|---|---|---|
| API Key (secret) | Server-side environment variable only | Authenticated REST/GraphQL calls from your backend |
| Public Key (public) | Safe in browser / mobile clients | Client-side SDKs, hosted-checkout init |
The Public Key prefix tells you which environment it's for: pk_development_… for the dev environment; production presumably uses a different prefix.
- Does every endpoint require the secret, or are some accessible with just the public key?
- What does the
pk_…prefix become in production?pk_live_…?
How to use the keys
curl https://api.pomelopay.com/v1/transactions \
-H "Authorization: Bearer $POMELO_API_KEY"
const sdk = new PomeloJS({
publicKey: process.env.POMELO_PUBLIC_KEY, // pk_development_… or pk_live_…
});
The snippet above is illustrative. Replace with the real values once confirmed.
See API keys for the full lifecycle (rotation, revocation, security practices).
Webhooks
The side nav shows a top-level Webhooks entry, but on this dev account it's not active — clicking it doesn't navigate. It may be feature-gated (paid tier or beta).
If your account has Webhooks enabled, see Webhooks.
On an account where Webhooks is active, capture the page (URL probably /connect/webhooks or similar) and update the Webhooks page with the real configuration UI.
Related
- API keys — security practices, rotation, troubleshooting.
- Webhooks — receive event notifications.
- Authentication — overview of all auth schemes.