Overview
The Developers section of your Partner Dashboard is the technical control centre for your integration. It's where you manage your API keys, the domains allowed to display MoonPay, and the webhooks that notify your systems about events. This article walks through each, and points out the things partners most often get caught on.
You'll find everything below under Developers in your dashboard, split across three tabs: General, API Keys, and Webhooks.
Your API keys
Open Developers → API Keys. You'll see two environments, each managed separately:
Test keys are always available, for development against test mode and simulated transactions
Production keys are for live transactions. They stay hidden until your product is approved, so if you don't see a Production section yet, that's expected — it appears automatically once you're approved
Each environment gives you three keys:
Publishable Key. Used in your frontend to identify your integration. Format
pk_test_…orpk_live_…Secret Key. Used for server-to-server API calls. Format
sk_test_…orsk_live_…Webhook Key. Used to verify webhook signatures at the account level
Important: Your Secret Key should never be shared, exposed in your frontend, or committed to your codebase. If it's ever exposed, rotate it immediately using the refresh icon next to the key — you don't need to wait for support.
Tip: Rotating a key is self-service. Use the copy and refresh icons next to each key to copy it or generate a new one.
Your domains
Open Developers → General → App or website domains. This is the list of domains allowed to display your MoonPay integration.
To add a domain, click Add domain, enter the URL, and click Save changes
To remove one, use the trash icon next to it, then save
Both https:// URLs and http://localhost (for local development) are accepted
Note: If you see a frame-ancestors error — something like "Framing 'https://blocks.moonpay.com' violates 'frame-ancestors' CSP" — it usually means the domain you're loading MoonPay on hasn't been added here. Add the affected domain and save, and the error should clear.
Your webhooks
Open Developers → Webhooks to set up endpoints that notify your systems in real time when something happens — for example when a transaction is created, updated, or fails.
Click Add Webhook to create an endpoint and choose which events it subscribes to
Each webhook has its own signing secret, shown with reveal and copy icons on its row. Use this per-webhook secret to verify incoming payloads
Use the test/trigger action on a webhook's row to send a test event and confirm your endpoint is working
Webhooks are scoped per environment — check the Prod / Test indicator so you're configuring the right one
Note: A webhook's own signing secret is different from the account-level Webhook Key on the API Keys tab. To verify webhook signatures, use the per-webhook secret, not the account-level key.
FAQs
Why can't I see my production API keys?
Why can't I see my production API keys?
Production keys stay hidden until your product is approved. Once you're approved, the Production section appears automatically with your live keys.
I think my Secret Key was exposed — what do I do?
I think my Secret Key was exposed — what do I do?
Rotate it yourself straight away using the refresh icon next to the key. There's no need to wait for support.
Why is my integration showing a framing or CSP error?
Why is my integration showing a framing or CSP error?
The domain you're loading MoonPay on probably isn't on your allowed list. Add it under Developers → General → App or website domains and save.
What's the difference between the Webhook Key and a webhook's signing secret?
What's the difference between the Webhook Key and a webhook's signing secret?
The Webhook Key (on the API Keys tab) is account-level. Each individual webhook also has its own signing secret on the Webhooks tab — that's the one you use to verify that webhook's payloads.
Where to get help
If you've added your domain correctly and still hit a framing error, or a webhook is configured right but events aren't arriving, just ask Nova — our AI assistant, right there in your dashboard. Nova gives instant answers to most questions, and if it can't resolve something on its own, it'll create a support request and pass it to our partner support team for you.