Authentication
Bearer token contract, key formats, environment matching. Read once; reference later.
BlendFi uses simple Bearer-token authentication. Every /v1/* request carries your API key in the Authorization header. There's no login, no session, no token refresh, the key is the session.
The contract
GET /v1/users HTTP/1.1
Host: api.sandbox.blendfi.com.br
Authorization: Bearer sk_test_xxxThree rules:
Bearerprefix required. JustAuthorization: sk_test_…returns401 authentication_required. Mind the space.- Key sent on every request. No exchange-for-session-cookie pattern. The key is plaintext on every wire, that's why TLS is required.
- HTTPS only. Plain HTTP is rejected at the edge.
Key formats
| Prefix | Environment | Issued in |
|---|---|---|
sk_test_… | Sandbox | Onboarding meeting |
sk_live_… | Production | Production handoff meeting |
Cross-environment use is rejected:
sk_test_…against the production base URL →401 api_key_env_mismatchsk_live_…against the sandbox base URL →401 api_key_env_mismatch
This is intentional: prevents accidentally moving real money during testing, and prevents test calls from polluting production.
Key rotation
Production-grade integrations rotate keys on a schedule (every 90 days is a common cadence) or in response to compromise.
Rotation is self-serve via the API. A single call, POST /v1/api-keys/{id}/rotate, issues a new key with the same capabilities and name, returns the new secret exactly once, and immediately revokes the old key. The recommended flow:
GET /v1/api-keysto find theidof the key you want to rotate.POST /v1/api-keys/{id}/rotate; capture the new secret from the response (it is shown only once and cannot be retrieved later).- Roll the new secret out to your application (deploy or hot-reload the secret).
Rotation is an immediate cutover: the old key stops authenticating the instant you rotate, so requests still using it return authentication_failed. Have the new secret ready to deploy as part of the same change so there is no gap.
Errors
| Code | Status | Cause |
|---|---|---|
authentication_required | 401 | Authorization header missing or wrong format |
authentication_failed | 401 | Key unknown, revoked, expired, or org suspended |
api_key_env_mismatch | 401 | Sandbox key against prod, or vice versa |
invalid_api_key_format | 401 | Key string is malformed |
missing_capability | 403 | Key valid but lacks the endpoint's capability |
Full descriptions in the errors catalog.
Read next
- Sandbox & keys, environments and the key-request flow
- Concepts → Errors and retries, error response shape
- Quickstart, make your first call
