API Keys

API keys are the simplest way to authenticate server-to-server calls.

Creating and managing keys

Keys are issued and revoked from the LedgerBee app under Marketplace → API Keys. A key is shown once at creation — store it securely; it cannot be retrieved again.

Using a key

Send it in the x-api-key request header:

Code
curl https://api.ledgerbee.com/api/v1/company \
  -H "x-api-key: YOUR_API_KEY"

Scopes

Each key carries a set of scopes that gate which endpoints it can reach. Request the narrowest set your integration needs. Inspect a key's own scopes, IP allowlist, and expiry with GET /v1/api-key, authenticated with the key itself.

Expiry

A key can carry an expiry date. When it does, every response authenticated with that key includes an X-API-Key-Expires-At header (ISO 8601) — watch it and rotate before the date. Rate limiting is covered in Rate limits.

Rotation

Rotate keys periodically and on suspected exposure: create a new key, migrate your integration, then revoke the old one. Revocation takes effect immediately (the key-validation cache is invalidated when a key is revoked).

Prefer OAuth2 client credentials when you want short-lived tokens instead of a long-lived secret.