Skip to main content

API Authentication

All Hixbe API requests require authentication to ensure security and proper access control. We support Bearer token authentication with API versioning.

Authentication Methods

Bearer Token Authentication

Include your API key in the Authorization header using the Bearer scheme: 
curl -X GET "https://api.hixbe.com/payment/payment_intents" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Hixbe-Version: 2026-01-01"

const response = await fetch('https://api.hixbe.com/payment/payment_intents', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY',
    'Hixbe-Version': '2026-01-01',
    'Content-Type': 'application/json'
  }
});

API Keys

Types of API Keys

  • Secret Keys: Full access to all API operations. Keep these secure and never expose them in client-side code.
  • Publishable Keys: Limited access for client-side operations (e.g., payment form integration).
  • Restricted Keys: Scoped access with specific permissions and resource limitations.

Managing API Keys

1

Access your dashboard

Log in to dash.hixbe.com and navigate to the API Keys section.
2

Create a new key

  1. Click “Create API Key”
  2. Choose the key type (Secret, Publishable, or Restricted)
  3. Set permissions and restrictions if applicable
  4. Add a descriptive name for tracking
3

Secure your keys

  • Store keys as environment variables
  • Use secret management services (AWS Secrets Manager, Azure Key Vault, etc.)
  • Rotate keys regularly
  • Never commit keys to version control

API Versioning

All requests must include the Hixbe-Version header to specify which API version to use: 
-H "Hixbe-Version: 2026-01-01"
Current version: 2026-01-01We recommend always specifying the latest version to access the newest features and improvements.

Security Best Practices

Key Security

  • Never expose secret keys in client-side code
  • Use environment variables for key storage
  • Rotate keys every 90 days
  • Monitor key usage in your dashboard
  • Use restricted keys when possible

Request Security

  • Always use HTTPS for all API requests
  • Validate SSL certificates
  • Implement proper error handling
  • Use idempotency keys for critical operations
  • Rate limit your requests appropriately

Environment Separation

  • Use separate API keys for sandbox and production
  • Test thoroughly in sandbox before going live
  • Implement environment-specific configurations
  • Use different subdomains for testing vs production

Authentication Errors

Common Error Codes

Error CodeDescriptionSolution
INVALID_API_KEYThe provided API key is invalidCheck your API key and ensure it’s correct
MISSING_AUTH_HEADERAuthorization header is missingInclude the Authorization header with Bearer token
INSUFFICIENT_PERMISSIONSAPI key lacks required permissionsCreate a key with appropriate permissions or contact support
EXPIRED_API_KEYThe API key has expiredGenerate a new API key in your dashboard
INVALID_VERSIONUnsupported API versionUse a supported version (currently 2026-01-01)

Error Response Format

{
  "success": false,
  "error": {
    "code": "INVALID_API_KEY",
    "message": "The API key provided is invalid",
    "details": {
      "provided_key_prefix": "sk_test_..."
    }
  }
}

Testing Authentication

Use our sandbox environment to test authentication without affecting production data: 
# Sandbox URL
curl -X GET "https://sandbox.api.hixbe.com/payment/payment_intents" \
  -H "Authorization: Bearer YOUR_SANDBOX_KEY" \
  -H "Hixbe-Version: 2026-01-01"
Sandbox and production use separate API keys and data. Always test authentication in sandbox first.

Need Help?

Troubleshooting

Common authentication issues and solutions

Best Practices

Security and integration best practices

API Versioning

Learn about API versioning requirements

Support

Contact our support team