Create an API key
Mint a new API key for one environment. The plaintext
secret is returned exactly once in this response — store
it somewhere safe (a secrets manager, an env var on your
server) right away. We only keep a hash on our side, so we
can’t recover it for you later.
Authorizations
Pass your secret key in the Authorization header as a Bearer
token: Authorization: Bearer sk_test_... (sandbox) or
Bearer sk_live_... (production).
Keys are created in the developer portal and the plaintext secret is shown exactly once at creation. Treat them like passwords — never embed them in mobile apps or front-end code.
Body
Response
Key created. The secret field is the only time
we show you the plaintext value — copy it now.
Plain UUID v4 (e.g. 15a81d54-0471-...). No prefix is
applied today. SDKs should treat the value as opaque.
"15a81d54-0471-4f3c-9c1f-2f0a0c7b8d31"
sandbox, live First few characters of the key, safe to display in lists and logs (the rest is irrecoverable after creation).
"sk_test_a89d15d0"
read:clients, write:clients, read:connections, write:connections, read:accounts, read:transactions, read:statements, write:statements, manage:webhooks, read:webhooks, write:webhooks, read:api-keys, write:api-keys active, revoked The full plaintext API key — pass this as
Authorization: Bearer <secret> on every request.
Returned once at creation (or rotation). We only keep a hash on our side, so if you lose it you'll need to create a new key.
The first few characters (visible in prefix) start
with sk_test_ for sandbox keys or sk_live_ for
live keys.
"sk_test_a89d15d0805c041eb058f040669c3a6d"
