API keys

Every request must be authenticated with a customer API key. Send it as either: 
x-api-key: sk_live_xxxxxxxxxxxxxxxxxxxx
# or
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxx
Keys are scoped per customer, can be IP-whitelisted, and may carry an expiry date.
Treat API keys as secrets. Never expose them in client-side code or commit them to source control. Rotate immediately if a key is leaked.

CSRF token for writes

Write operations (POST, PATCH, DELETE) additionally require an X-CSRF-Token header (a 64-character hex string): 
X-CSRF-Token: <64-char-hex>

IP whitelisting & expiry

A key may be restricted to a set of source IP addresses and given an expiry date. A request from a non-whitelisted IP, or with an expired key, is rejected with 403. Rotate keys periodically and deactivate any you no longer use.

Idempotency

Money-moving operations (such as wallet sends) accept an Idempotency-Key header. Send a unique UUID per logical operation so retries never create duplicate transactions: 
Idempotency-Key: 3f9c2a7e-1b4d-4c8a-9e21-7d5f0b6a1c33
See Idempotency for the full pattern and 409 semantics.