Test Mode vs Live Mode

There are two "modes" of operation for your Xfinity account:

Live Mode: Real money, real transactions, real effects. Only switch to this after you've tested your integration thoroughly.

Test Mode: No real money is involved. We'll still send webhooks, and most of the API functions the same.

API keys

It can authorize any action on your account, so it should never be exposed to the public.

To get your keys:

  • Log in to your Xfinity dashboard
  • Navigate to Settings
  • Select API keys from API & Webhook section to view and copy your keys

Don't take any chances

If you think your keys may have been compromised (for instance, you accidentally committed them to Git), you should immediately generate new ones using the Generate new keys button on the Settings> API & Webhook page on your dashboard. This will invalidate all existing keys and give you a new set, and you can then update your app to use the new ones.

Authorizing API calls

All API calls on Xfinity are authenticated. API requests made without authorization will fail with the status code 401: Unauthorized.

Your api key can perform any actions on your Xfinity account without restriction. It should be kept confidential and only stored on your servers, preferably as an environment variable. It should not be included in your Git repository or front-end JavaScript code.

To authorize API calls from your server, pass your API key as a bearer token. This means passing an Authorization header with a value of "Bearer: {secret_key}".