Authentication - Kalixo API

The Kalixo API authenticates requests with an API key sent in the x-api-key header. Each key is scoped to a single partner account.

curl -X GET "https://api.kalixo.io/v2/wallet" \
  -H "x-api-key: $KALIXO_API_KEY"

x-api-key

string

required

Your secret API key. Sent on every request.

Sandbox vs production

You receive two keys. Sandbox runs against test data and never charges your wallet; production is live.

Environment	Base URL	Key prefix
Sandbox	`https://sandbox.kalixo.io/v2`	`kal_test_…`
Production	`https://api.kalixo.io/v2`	`kal_live_…`

Keeping your key safe

Treat your API key like a password. Never commit it to source control, embed it in client-side code, or share it in screenshots. Store it in an environment variable or secret manager.

Rotate regularly

Ask your account manager to rotate a key if it may have leaked. The old key is revoked.

Server-side only

Call the API from your backend, never from a browser or mobile app.

Errors

A missing or invalid key returns 401 Unauthorized: Header omitted

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Missing API key"
}

Wrong or revoked key

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Invalid API key"
}

See Errors for the full error catalogue.

Quickstart Pagination

⌘I

​Sandbox vs production

​Keeping your key safe

Rotate regularly

Server-side only

​Errors

Sandbox vs production

Keeping your key safe

Errors