Skip to content
Getting started

Authentication

The Collect API authenticates with a secret API key. Each key acts on behalf of one workspace; the workspace is derived from the key, never from the request.

API keys#

Create and revoke keys under Settings → API keys (owners and admins only). A key looks like ak_…and is shown in full exactly once, at creation — store it somewhere safe. Collect only keeps a hash, so a lost key can't be recovered, only revoked and replaced.

Treat keys like passwords. Never commit them or ship them in client-side code — anyone with a key can create clients and invoices in your workspace. Revoke immediately if one leaks.

Making an authenticated request#

Send the key as a bearer token in the Authorization header on every request:

curl https://kurepay.com/api/v1/clients \
  -H "Authorization: Bearer ak_live_your_key"

When auth fails#

  • 401 unauthorized — the key is missing, malformed, or revoked.
  • 403 forbidden— the key is valid but API access isn't enabled for the workspace (an owner enables it), or the key lacks a required scope.

Scopes#

Keys today are full-access: they can read and write every resource the API exposes. Scoped keys are coming; existing keys keep working unchanged. See versioning for how we ship additive changes.