Skip to main content
Questions about agentic commerce, merchants, or refunds? See the Agentic Commerce FAQs. CLI issues? See Prava Pay Troubleshooting.

Keys & environments

Which key goes where? pk_* (publishable) initializes the SDK in the browser; sk_* (secret) stays server-side for sessions, results, and card management. Full table: Authentication. My key returns AUTH_1001 but it’s correct. Check environment pairing: sk_test_* only works against sandbox.api.prava.space, sk_live_* only against api.prava.space. Where do I get keys? Self-serve at dashboard.prava.space; see the Quickstart. No invite or waiting.

Sessions

How long does a session last? 15 minutes (expires_at in the create response). Create sessions when the user is ready to pay; once expired, create a new one rather than reusing it. Can I create multiple sessions per user? Technically yes, but create one per checkout flow and complete or revoke it before starting another. payment-result stays pending forever. The cardholder hasn’t completed card entry + passkey approval (Touch ID / Face ID) on the Prava surface. Confirm they opened the iframe_url (hosted) or that collectPAN mounted without errors (embedded).

The iframe / collectPAN

The iframe won’t load (IFRAME_LOAD_ERROR). Verify you passed the iframe_url from the session response, and that your page’s domain is in allowed domains in the dashboard; other origins are rejected. Can I style the card form? The card fields live inside Prava’s PCI-scoped iframe and aren’t arbitrarily styleable from your page. Position and size the container; the iframe handles the rest. Do I ever touch the card number? No. You receive { enrollmentId, last4, brand, expMonth, expYear }, never the PAN (the full card number). That’s what keeps you out of PCI scope, the security compliance that applies once you handle card data.

Tokens & checkout

Can I reuse a token? No — payment tokens are single-use, merchant-locked, amount-scoped, and short-lived. If a checkout fails, report DECLINED and start a new session. What’s a dynamic_cvv? The single-use CVV paired with the token (the CLI calls it a Cryptogram). Terminology map: Glossary. Do I have to call report-status? Yes, always — APPROVED or DECLINED. It closes the loop with transaction records and the card network. Unreported checkouts leave the transaction in awaiting_result.

Going further

Webhooks? Coming soon: configuration exists today, delivery is rolling out. Poll Get Payment Result meanwhile. See Authentication → Webhooks. Test cards? Published on Test Cards, together with the test OTP, organized by card network. Sandbox only. Pricing? Contact support@prava.space for current pricing. Something not covered here? support@prava.space; include the X-Response-ID header of any failing request.