Authentication
Every API request requires a Bearer token in the Authorization header.
API Keys#
Use your API key as a Bearer token. Keys use the pk_ prefix.
Header
Authorization: Bearer pk_your_api_keyKeep your keys secret
API keys are for server-to-server integration. Never expose them in client-side code, mobile apps, or public repositories.
Security Features#
Configure these when creating or managing API keys via the dashboard.
| Feature | Description |
|---|---|
| IP Whitelist | Restrict key usage to specific IP addresses (max 20) |
| Expiration | Auto-expire after 30d, 90d, 180d, 1y, or never (default: never) |
| Key Limit | Maximum 10 active keys per account |
Example Request#
Bash
curl https://api.pymstr.com/v1/payments/01234567-89ab-cdef-0123-456789abcdef \
-H "Authorization: Bearer pk_live_abc123def456"Rate Limits#
Each response includes rate limit headers. When the limit is exceeded, the API returns 429 Too Many Requests.
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed in the window |
X-RateLimit-Remaining | Requests remaining in current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
Common Auth Errors#
401 UnauthorizedThis usually means your API key is missing or invalid. Check that:
- The key starts with
pk_ - You're using
Bearer(not Basic) auth - The key hasn't been revoked or expired
403 ForbiddenYour API key is valid but doesn't have permission for this action. Check your IP whitelist settings.