Environment variables
Securely manage your API keys and environment variables.
API keys
lomi. provides two types of API keys for each environment:
- Secret Keys (
sk_...): Full access, server-side only. Never share these. - Publishable Keys (
pk_...): Limited access, safe for client-side use.
Managing environment variables
Set these in your .env file or deployment configuration:
# Required: Your secret key
LOMI_SECRET_KEY=sk_test_xxxxxxxxxxxxxxxxxxxxxx
# Required: Your webhook secret
LOMI_WEBHOOK_SECRET=whsec_xxxxxxxxxxxxxxxxxxxxxx
# Optional: Base URL (defaults to https://api.lomi.africa)
# LOMI_API_URL=https://api.lomi.africaInitialization examples
How to initialize the SDK with your environment variables:
import { LomiSDK } from '@lomi./sdk';
const lomi = new LomiSDK({
apiKey: process.env.LOMI_SECRET_KEY!,
environment: 'live', // or 'test'
// Optional: Custom timeout
timeout: 30000,
});import os
from lomi import LomiClient
api_client = LomiClient(
api_key=os.environ["LOMI_SECRET_KEY"],
environment="test" # or "live"
)import (
"os"
lomi "github.com/lomiafrica/lomi-go-sdk"
)
configuration := lomi.NewConfiguration()
// Override host for sandbox
configuration.Servers = lomi.ServerConfigurations{
{
URL: "https://sandbox.api.lomi.africa",
Description: "Sandbox Environment",
},
}
client := lomi.NewAPIClient(configuration)use Lomi\Configuration;
$config = Configuration::getDefaultConfiguration()
->setApiKey('X-API-KEY', getenv('LOMI_SECRET_KEY'))
->setHost('https://sandbox.api.lomi.africa');Webhook verification
Verify incoming webhooks using your LOMI_WEBHOOK_SECRET:
// Express example
import crypto from 'crypto';
app.post('/webhook', (req, res) => {
const signature = req.headers['x-lomi-signature'];
const secret = process.env.LOMI_WEBHOOK_SECRET!;
const expected = crypto
.createHmac('sha256', secret)
.update(req.rawBody)
.digest('hex');
if (signature !== expected) {
return res.status(400).send('Invalid signature');
}
// Process event...
});# Flask example
import hmac
import hashlib
@app.route('/webhook', methods=['POST'])
def webhook():
signature = request.headers.get('x-lomi-signature')
secret = os.environ['LOMI_WEBHOOK_SECRET'].encode()
expected = hmac.new(secret, request.data, hashlib.sha256).hexdigest()
if not hmac.compare_digest(signature, expected):
return jsonify({'error': 'Invalid signature'}), 400
# Process event...func webhookHandler(w http.ResponseWriter, r *http.Request) {
signature := r.Header.Get("x-lomi-signature")
secret := os.Getenv("LOMI_WEBHOOK_SECRET")
body, _ := io.ReadAll(r.Body)
mac := hmac.New(sha256.New, []byte(secret))
mac.Write(body)
expected := hex.EncodeToString(mac.Sum(nil))
if !hmac.Equal([]byte(signature), []byte(expected)) {
http.Error(w, "Invalid signature", http.StatusBadRequest)
return
}
}$signature = $_SERVER['HTTP_X_LOMI_SIGNATURE'];
$secret = getenv('LOMI_WEBHOOK_SECRET');
$payload = file_get_contents('php://input');
$expected = hash_hmac('sha256', $payload, $secret);
if (!hash_equals($expected, $signature)) {
die('Invalid signature');
}