Authorization header:
Live and sandbox keys
Both key types use the same base URL and identical request shapes, so
switching your integration from sandbox to live is a one-variable change.
Key safety
- Keys are shown once at issuance and cannot be recovered — store them in a secrets manager.
- Send keys only in the
Authorizationheader over HTTPS. Never embed them in client-side code or URLs. - If a key may have been exposed, ask us to rotate it — a replacement is issued immediately and the old key is revoked.
Errors
Requests without a valid key return401 with a machine-readable code
(missing_api_key, invalid_api_key, revoked_api_key, or
expired_api_key). A key lacking access to a product returns 403 with
missing_scope.