Authentication
The Collect API authenticates with a secret API key. Each key acts on behalf of one workspace; the workspace is derived from the key, never from the request.
API keys#
Create and revoke keys under Settings → API keys (owners and admins only). A key looks like ak_…and is shown in full exactly once, at creation — store it somewhere safe. Collect only keeps a hash, so a lost key can't be recovered, only revoked and replaced.
Treat keys like passwords. Never commit them or ship them in client-side code — anyone with a key can create clients and invoices in your workspace. Revoke immediately if one leaks.
Making an authenticated request#
Send the key as a bearer token in the Authorization header on every request:
curl https://paytrum.com/api/v1/clients \
-H "Authorization: Bearer ak_live_your_key"When auth fails#
401 unauthorized— the key is missing, malformed, or revoked.403 forbidden— the key is valid but API access isn't enabled for the workspace (an owner enables it), or the key lacks a required scope.
Scopes#
Keys today are full-access: they can read and write every resource the API exposes. Scoped keys are coming; existing keys keep working unchanged. See versioning for how we ship additive changes.