getting started
Authentication
The API authenticates with secret keys sent as a bearer token. Keys are scoped to one environment: sk_sandbox_… keys work only against sandbox data, sk_live_… only against live.
Authorization: Bearer sk_sandbox_hoAZ…
Idempotency-Key: order-8412
Idempotency
Every mutating request (POST, PATCH, DELETE) requires an Idempotency-Key header — any unique string up to 255 characters, typically your order id. Within 24 hours, a replay with the same key returns the original response with the header Idempotency-Replayed: true. A concurrent duplicate returns 409 idempotency_conflict.
Key management
- Create and revoke keys in the dashboard under API keys; the secret is shown exactly once and stored hashed.
- Rotate by creating a new key, deploying it, then revoking the old one — both work during the overlap.
- Optionally restrict a key to an IP allowlist (contact us to enable per-key allowlists).
- Never ship secret keys in browsers or mobile apps — they belong on your server.