Skip to main content
Every request carries an API key in the Authorization header:
Keys are issued by Cactus at kickoff and can be rotated or revoked at any time — contact your Cactus representative to manage keys.

Live and sandbox keys

Both key types use the same base URL and identical request shapes, so switching your integration from sandbox to live is a one-variable change.

Key safety

  • Keys are shown once at issuance and cannot be recovered — store them in a secrets manager.
  • Send keys only in the Authorization header over HTTPS. Never embed them in client-side code or URLs.
  • If a key may have been exposed, ask us to rotate it — a replacement is issued immediately and the old key is revoked.

Errors

Requests without a valid key return 401 with a machine-readable code (missing_api_key, invalid_api_key, revoked_api_key, or expired_api_key). A key lacking access to a product returns 403 with missing_scope.