Authentication
The Settlx API uses API key authentication. Every request to a protected endpoint must include your secret API key in the Authorization header as a Bearer token.
Authorization: Bearer pk_live_...
pk_live_.
Never expose your API key in client-side code, browser JavaScript, mobile apps, or public repositories. All authenticated API calls must be made server-side.
Getting your API key
- Log in to the Settlx Dashboard
- Go to Settings → API Keys
- Click Create API Key
- Copy the key immediately — it is shown only once and cannot be retrieved again
Store the key in an environment variable. Do not commit it to source control.
# .env
SETTLX_API_KEY=pk_live_...
Example requests
curl https://api.settlx.io/api/v1/invoices \
-H "Authorization: Bearer $SETTLX_API_KEY" \
-H "Content-Type: application/json"
Key management
| Action | Where |
|---|
| Create a new key | Dashboard → Settings → API Keys |
| Revoke a key | Dashboard → Settings → API Keys → Revoke |
| Rotate a key | Create a new key, update your environment, then revoke the old key |
If you suspect your API key has been compromised, revoke it immediately from the dashboard and generate a new one.
Public endpoints
The following endpoints do not require authentication and are safe to call from a browser or mobile client:
| Endpoint | Description |
|---|
GET /api/v1/chains | List supported chains |
GET /api/v1/tokens | List supported tokens and chains |
GET /api/v1/invoices/:id/status | Poll invoice payment status |
Authentication errors
| Status | Cause |
|---|
401 Unauthorized | Missing, malformed, or revoked API key |
403 Forbidden | Valid key but merchant account is inactive or suspended |
429 Too Many Requests | Rate limit exceeded — see API Conventions |
