Required Header
Security Guidance
- Keep keys server-side only.
- Never expose keys in browser/mobile clients.
- Rotate keys immediately after suspected compromise.
- Restrict outbound logs so API keys are never recorded.
Partner Scope Guarantee
Every endpoint is server-side scoped to your partner identity. Your API key cannot read or mutate another partner’s transactions, webhook telemetry, or revenue data.Unauthorized Responses
401 Unauthorized: missing, malformed, or invalid API key.