Every request (except the public payment-return redirect) is authenticated with a
venture’s API key.
Getting a key
An admin registers your venture with POST /api/v1/ventures. The response contains the
plaintext api_key exactly once — only its SHA-256 hash is stored, so it cannot be
retrieved later. If you lose it, rotate (below) to issue a new one.
Sending the key
Pass it on every request using either header:
# Preferred
curl -H "Authorization: Bearer sk_live_…" http://localhost:8080/api/v1/payments
# Or
curl -H "X-API-Key: sk_live_…" http://localhost:8080/api/v1/payments
401 Unauthorized. All data you access is
automatically scoped to your venture.
Rotating the key
Rotate your own key with the self-service endpoint (the old key stops working immediately):
curl -X PATCH http://localhost:8080/api/v1/me \
-H "X-API-Key: sk_live_…" -H 'Content-Type: application/json' \
-d '{"rotate_api_key": true}'
api_key once. See Managing ventures.
Treat the API key like a password. Never embed it in client-side code or commit it to
source control. Use it only from your server.