Environment Details


Bolt provides two account environments: Sandbox and Production. Each environment includes a unique Merchant Dashboard. All transactions that flow through Bolt’s checkout can be found in your Merchant Dashboard.

Each merchant account has a unique API Key and Signing Secret that Bolt uses to accurately verify and associate transactions with the account’s divisions.


A Bolt merchant account can have one or many divisions. A division represents a uniquely configured instance of Bolt Checkout to fit a specific use case or workflow (e.g., storefront and back office). Division setup often includes enabling different features and creating separate webhooks for every division.

Common Divisions

  • Pay by Link
  • Back Office
  • NetSuite ERP

Each merchant division has a unique Publishable Key that is used to access your transaction data outside of the Bolt Merchant Dashboard.


Collaborating with many developers across multiple sandboxes does not require multiple divisions. Simply add each URL to your Approved Domains list.

Account Types

Merchant account types are associated to individual processors. Because each processor has unique workflows and setup requirements, switching your payment processor requires setting up a new Bolt merchant account that aligns with the newly chosen processor.

API & Webhooks

About Keys

API Key Used for calling Bolt API from your backend server
Signing Secret Used for signature verification on requests received from bolt
Publishable Key Embedded on your website and used by Bolt to identify your website. The publishable key is a long string of lower and upper case letters and numbers that consists of three sections.


The publishable key is a long string of lower and upper case letters and numbers that consists of three sections. publishable key


X-Api-Key Provide the API_KEY
X-Nonce unique 12-16 digit for every request (UUID is a good option)
Content-Type application/json


Environment URL
Sandbox https://api-sandbox.bolt.com
Production https://api.bolt.com

Key Rotation

It is best security practice to rotate cryptographic and API keys on a scheduled basis. Bolt offers the ability to rotate both API Keys and Signing Secret with no downtime.


  • Your store is using the new Merchant Dashboard experience.
  • Contact your CSM to enable the merchant_dash_update_signing_secret_keys feature flag.


  1. Navigate to Administration > API and scroll to Signing Secret then click Initiate Key Rotation.
  2. During this step one key is Active and the new key is Pending. Both keys can be used at this time. Use the X-Bolt-Hmac-Sha256 header to validate requests with the old key and the X-Bolt-Hmac-Sha256-Pending header with the pending key.
  3. Once you have completed signing secret rotation within your application click Complete Key Rotation to deactivate the current key and activate the pending key.


It is possible to revert to the old signing secret for up to 48 hours. The amount of time left to revert is displayed in the signing secret table. Select Revert Key Rotation to do this.

Rotate API Keys

Bolt allows you to create up to five active API Keys. You can activate and deactivate these keys at any time.

Bolt CDN Paths

Production CDN_URL https://connect.bolt.com
Production API_URL https://api.bolt.com
Production Merchant Dashboard https://merchant.bolt.com
Sandbox CDN_URL https://connect-sandbox.bolt.com
Sandbox API_URL https://api-sandbox.bolt.com
Sandbox Merchant Dashboard https://merchant-sandbox.bolt.com

Other Details

Merchant Callback API Timeout Limits

Environment Timeout
Sandbox 30 seconds
Production 20 seconds
📖On This Page
Filter by Section
Filter by Topic