> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prava.space/llms.txt
> Use this file to discover all available pages before exploring further.

# Developer FAQ

> Common SDK and REST API integration questions, answered.

*Questions about agentic commerce, merchants, or refunds? See the
[Agentic Commerce FAQs](/integration/faqs). CLI issues? See
[Prava Pay Troubleshooting](/prava-pay/troubleshooting).*

## Keys & environments

**Which key goes where?** `pk_*` (publishable) initializes the SDK in the browser; `sk_*` (secret)
stays server-side for sessions, results, and card management. Full table:
[Authentication](/authentication).

**My key returns `AUTH_1001` but it's correct.** Check environment pairing: `sk_test_*` only works
against `sandbox.api.prava.space`, `sk_live_*` only against `api.prava.space`.

**Where do I get keys?** Self-serve at [dashboard.prava.space](https://dashboard.prava.space);
see the [Quickstart](/quickstart). No invite or waiting.

## Sessions

**How long does a session last?** 15 minutes (`expires_at` in the create response). Create sessions
when the user is ready to pay; once expired, create a new one rather than reusing it.

**Can I create multiple sessions per user?** Technically yes, but create one per checkout flow and
complete or [revoke](/api-reference/revoke-session) it before starting another.

**`payment-result` stays `pending` forever.** The cardholder hasn't completed card entry + passkey
approval (Touch ID / Face ID) on the Prava surface. Confirm they opened the `iframe_url` (hosted) or that
[`collectPAN`](/sdk/cards/collect-pan) mounted without errors (embedded).

## The iframe / collectPAN

**The iframe won't load (`IFRAME_LOAD_ERROR`).** Verify you passed the `iframe_url` from the session
response, and that your page's domain is in **allowed domains** in the dashboard; other origins are
rejected.

**Can I style the card form?** The card fields live inside Prava's PCI-scoped iframe and aren't
arbitrarily styleable from your page. Position and size the container; the iframe handles the rest.

**Do I ever touch the card number?** No. You receive `{ enrollmentId, last4, brand, expMonth,
expYear }`, never the PAN (the full card number). That's what keeps you out of PCI scope, the
security compliance that applies once you handle card data.

## Tokens & checkout

**Can I reuse a token?** No — payment tokens are single-use, merchant-locked, amount-scoped, and
short-lived. If a checkout fails, report `DECLINED` and start a new session.

**What's a `dynamic_cvv`?** The single-use CVV paired with the token (the CLI calls it a
`Cryptogram`). Terminology map: [Glossary](/concepts/glossary).

**Do I have to call report-status?** Yes, always — `APPROVED` or `DECLINED`. It closes the loop with
transaction records and the card network. Unreported checkouts leave the transaction in
`awaiting_result`.

## Going further

**Webhooks?** Coming soon: configuration exists today, delivery is rolling out. Poll
[Get Payment Result](/api-reference/get-payment-result) meanwhile. See
[Authentication → Webhooks](/authentication#webhooks).

**Test cards?** Published on [Test Cards](/api-reference/test-cards), together with the test OTP,
organized by card network. Sandbox only.

**Pricing?** Contact [support@prava.space](mailto:support@prava.space) for current pricing.

**Something not covered here?** [support@prava.space](mailto:support@prava.space); include the
`X-Response-ID` header of any failing request.
