PYMSTR
Docs

Authentication

Every API request requires a Bearer token in the Authorization header.

API Keys#

Use your API key as a Bearer token. Keys use the pk_ prefix.

Header
Authorization: Bearer pk_your_api_key
Keep your keys secret
API keys are for server-to-server integration. Never expose them in client-side code, mobile apps, or public repositories.

Security Features#

Configure these when creating or managing API keys via the dashboard.

FeatureDescription
IP WhitelistRestrict key usage to specific IP addresses (max 20)
ExpirationAuto-expire after 30d, 90d, 180d, 1y, or never (default: never)
Key LimitMaximum 10 active keys per account

Example Request#

Bash
curl https://api.pymstr.com/v1/payments/01234567-89ab-cdef-0123-456789abcdef \
  -H "Authorization: Bearer pk_live_abc123def456"

Rate Limits#

Each response includes rate limit headers. When the limit is exceeded, the API returns 429 Too Many Requests.

HeaderDescription
X-RateLimit-LimitMaximum requests allowed in the window
X-RateLimit-RemainingRequests remaining in current window
X-RateLimit-ResetUnix timestamp when the window resets

Common Auth Errors#

401 Unauthorized

This usually means your API key is missing or invalid. Check that:

  • The key starts with pk_
  • You're using Bearer (not Basic) auth
  • The key hasn't been revoked or expired
403 Forbidden

Your API key is valid but doesn't have permission for this action. Check your IP whitelist settings.