Variables and API Keys

Welcome to lomi.’s comprehensive guide on managing variables and API keys. This guide will help you understand how to securely handle authentication and configuration in your lomi. integration.

API Keys

API keys are the foundation of authentication in lomi.’s API. Each key has a specific prefix that indicates its environment and purpose.

Test Keys

# Format: lomi_sk_test_[random_string]
export LOMI_API_KEY=lomi_sk_test_abc123...

Test keys are designed for:

• Development and testing environments
• No real transactions processed
• Test credentials always work
• Safe for experimentation

Live Keys

# Format: lomi_sk_live_[random_string]
export LOMI_API_KEY=lomi_sk_live_xyz789...

Live keys are used for:

• Production environment
• Processing real transactions
• Requires completed verification
• Must be handled with utmost security

Environment Variables

Required Variables

# API Authentication
LOMI_API_KEY=your_api_key
 
# Webhook Security
LOMI_WEBHOOK_SECRET=your_webhook_secret

Optional Variables

# Environment Selection
LOMI_API_URL=https://api.lomi.africa/v1  # Production (default)
LOMI_API_URL=https://sandbox.api.lomi.africa/v1  # Sandbox
 
# Timeouts
LOMI_TIMEOUT=30000  # API request timeout in ms

Implementation Examples

Node.js SDK Integration

import { LomiSDK } from 'lomi-node';
 
const lomi = new LomiSDK({
  apiKey: process.env.LOMI_API_KEY,
  baseUrl: process.env.LOMI_API_URL,
  timeout: parseInt(process.env.LOMI_TIMEOUT || '30000')
});

Direct API Calls

const headers = {
  'x-api-key': process.env.LOMI_API_KEY,
  'Content-Type': 'application/json'
};
 
const response = await fetch('https://api.lomi.africa/v1/checkout/sessions', {
  method: 'POST',
  headers,
  body: JSON.stringify({
    merchant_id: process.env.LOMI_MERCHANT_ID,
    // ... other parameters
  })
});

Webhook Implementation

const isValid = lomi.webhooks.verifySignature(
  payload,
  headers['lomi-signature'],
  process.env.LOMI_WEBHOOK_SECRET
);

Key Management Best Practices

1. Key Storage

• Never commit API keys to version control
• Use environment variables
• Implement secrets management in production
• Keep keys secure and private

2. Access Control

• Restrict key access to necessary team members
• Don’t share keys between applications
• Rotate keys periodically
• Monitor key usage

3. Environment Separation

• Use test keys for development
• Use live keys only in production
• Validate environment before deployment
• Implement proper error handling

Error Handling

Handle API key related errors gracefully:

try {
  const session = await lomi.checkoutSessions.create({
    // ... parameters
  });
} catch (error) {
  switch (error.statusCode) {
    case 401:
      console.error('Invalid or missing API key');
      break;
    case 403:
      console.error('API key does not have required permissions');
      break;
  }
}

Rate Limits

• 100 requests per 15 minutes per IP
• Applies to both test and live keys
• Rate limit headers included in responses
• Implement proper retry logic

Security Configuration

1. Environment Files

# .env.example
LOMI_API_KEY=
LOMI_WEBHOOK_SECRET=
LOMI_API_URL=
 
# .gitignore
.env
.env.local

2. CI/CD Security

• Use secret management services
• Encrypt environment variables
• Implement regular security audits
• Monitor for suspicious activity

Need Help?

• API Reference
• Security Guide
• Support