Authentication - PLU Card API

All API requests must include your API key. There are two ways to pass it:

Bearer Token (Recommended)

Authorization: Bearer sk_staging_your_api_key_here

API Key Header

x-api-key: sk_staging_your_api_key_here

API Key Format

Environment	Prefix	Example
Staging	`sk_staging_`	`sk_staging_abc123def456...`
Production	`sk_live_`	`sk_live_abc123def456...`

How It Works

The API extracts your key from the Authorization or x-api-key header
The first 16 characters are used to look up your partner account
The full key is verified against the stored hash using bcrypt
Validated keys are cached for 5 minutes to reduce latency on subsequent requests

What Gets Attached

On successful authentication, the API attaches your partner context to the request. This includes your partner ID, fee configuration, and a data filter that scopes all queries to your account.

Error Responses

401 — Missing or invalid API key

{
  "status": "error",
  "message": "Unauthorized",
  "data": {
    "error": "Invalid API key"
  }
}

403 — Partner suspended

{
  "status": "error",
  "message": "Forbidden",
  "data": {
    "error": "Partner account is suspended"
  }
}

Keep your API key secret. Do not expose it in client-side code, public repositories, or logs. If compromised, contact support immediately to rotate it.

Getting Started

​Bearer Token (Recommended)

​API Key Header

​API Key Format

​How It Works

​What Gets Attached

​Error Responses

Bearer Token (Recommended)

API Key Header

API Key Format

How It Works

What Gets Attached

Error Responses