Keys & environments
Which key goes where?pk_* (publishable) initializes the SDK in the browser; sk_* (secret)
stays server-side for sessions, results, and card management. Full table:
Authentication.
My key returns AUTH_1001 but it’s correct. Check environment pairing: sk_test_* only works
against sandbox.api.prava.space, sk_live_* only against api.prava.space.
Where do I get keys? Self-serve at dashboard.prava.space;
see the Quickstart. No invite or waiting.
Sessions
How long does a session last? 15 minutes (expires_at in the create response). Create sessions
when the user is ready to pay; once expired, create a new one rather than reusing it.
Can I create multiple sessions per user? Technically yes, but create one per checkout flow and
complete or revoke it before starting another.
payment-result stays pending forever. The cardholder hasn’t completed card entry + passkey
approval (Touch ID / Face ID) on the Prava surface. Confirm they opened the iframe_url (hosted) or that
collectPAN mounted without errors (embedded).
The iframe / collectPAN
The iframe won’t load (IFRAME_LOAD_ERROR). Verify you passed the iframe_url from the session
response, and that your page’s domain is in allowed domains in the dashboard; other origins are
rejected.
Can I style the card form? The card fields live inside Prava’s PCI-scoped iframe and aren’t
arbitrarily styleable from your page. Position and size the container; the iframe handles the rest.
Do I ever touch the card number? No. You receive { enrollmentId, last4, brand, expMonth, expYear }, never the PAN (the full card number). That’s what keeps you out of PCI scope, the
security compliance that applies once you handle card data.
Tokens & checkout
Can I reuse a token? No — payment tokens are single-use, merchant-locked, amount-scoped, and short-lived. If a checkout fails, reportDECLINED and start a new session.
What’s a dynamic_cvv? The single-use CVV paired with the token (the CLI calls it a
Cryptogram). Terminology map: Glossary.
Do I have to call report-status? Yes, always — APPROVED or DECLINED. It closes the loop with
transaction records and the card network. Unreported checkouts leave the transaction in
awaiting_result.
Going further
Webhooks? Coming soon: configuration exists today, delivery is rolling out. Poll Get Payment Result meanwhile. See Authentication → Webhooks. Test cards? Published on Test Cards, together with the test OTP, organized by card network. Sandbox only. Pricing? Contact support@prava.space for current pricing. Something not covered here? support@prava.space; include theX-Response-ID header of any failing request.