Skip to main content

Authentication

All Invoica API requests require authentication via an API key passed in the Authorization header.

API Key Format

Invoica API keys follow the format:
Keys are prefixed with inv_ followed by 32 hexadecimal characters.

Using Your API Key

HTTP Header

Include your API key in every request:

SDK Authentication

Key Management

Creating Keys

Generate API keys from your Dashboard. Each key can be scoped to specific permissions:
  • Full Access — Create, read, update invoices and settlements
  • Read Only — View invoices and settlements
  • Webhook Only — Manage webhook configurations

Rotating Keys

When rotating keys:
  1. Create a new key in the Dashboard
  2. Update your application to use the new key
  3. Verify the new key works in production
  4. Revoke the old key
Never expose your API key in client-side code, public repositories, or browser requests. API keys should only be used in server-side applications.

Request Signing (Optional)

For additional security, requests can be signed with HMAC-SHA256:

Error Responses