Authentication
All Invoica API requests require authentication via an API key passed in the Authorization header.
Invoica API keys follow the format:
inv_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
inv_ followed by 32 hexadecimal characters.
Using Your API Key
Include your API key in every request:
curl -H "Authorization: Bearer inv_your_key_here" \
https://api.invoica.ai/v1/invoices
SDK Authentication
import { InvoicaClient } from '@invoica/sdk';
const client = new InvoicaClient({
apiKey: 'inv_your_key_here',
baseUrl: 'https://api.invoica.ai',
});
Key Management
Creating Keys
Generate API keys from your Dashboard. Each key can be scoped to specific permissions:
- Full Access — Create, read, update invoices and settlements
- Read Only — View invoices and settlements
- Webhook Only — Manage webhook configurations
Rotating Keys
When rotating keys:
- Create a new key in the Dashboard
- Update your application to use the new key
- Verify the new key works in production
- Revoke the old key
Never expose your API key in client-side code, public repositories, or browser requests. API keys should only be used in server-side applications.
Request Signing (Optional)
For additional security, requests can be signed with HMAC-SHA256:
import crypto from 'crypto';
const timestamp = Date.now().toString();
const body = JSON.stringify(payload);
const signature = crypto
.createHmac('sha256', apiSecret)
.update(`${timestamp}.${body}`)
.digest('hex');
// Include in headers
headers['X-Invoica-Timestamp'] = timestamp;
headers['X-Invoica-Signature'] = signature;
Error Responses
| Status Code | Meaning |
|---|
| 401 | Invalid or missing API key |
| 403 | Key does not have required permissions |
| 429 | Rate limit exceeded |
