Authentication
All Invoica API requests require authentication via an API key passed in the Authorization header.
Invoica API keys follow the format:
Keys are prefixed with inv_ followed by 32 hexadecimal characters.
Using Your API Key
Include your API key in every request:
SDK Authentication
Key Management
Creating Keys
Generate API keys from your Dashboard. Each key can be scoped to specific permissions:
- Full Access — Create, read, update invoices and settlements
- Read Only — View invoices and settlements
- Webhook Only — Manage webhook configurations
Rotating Keys
When rotating keys:
- Create a new key in the Dashboard
- Update your application to use the new key
- Verify the new key works in production
- Revoke the old key
Never expose your API key in client-side code, public repositories, or browser requests. API keys should only be used in server-side applications.
Request Signing (Optional)
For additional security, requests can be signed with HMAC-SHA256:
Error Responses