Skip to main content
The Kalixo API authenticates requests with an API key sent in the x-api-key header. Each key is scoped to a single partner account. Your egress IP must also be whitelisted before you can reach the API — use GET /ping to confirm connectivity once both are in place.
x-api-key
string
required
Your secret API key. Sent on every request.

Sandbox vs production

You receive two keys during onboarding. Sandbox runs against test data; production is live.
Pre-release: Base URLs below are placeholders during the pre-release period. Your account manager will confirm the final endpoints when your keys are issued.
EnvironmentBase URLKey prefix
Sandboxhttps://sandbox.kalixo.io/v2kal_test_…
Productionhttps://api.kalixo.io/v2kal_live_…

Keeping your key safe

Treat your API key like a password. Never commit it to source control, embed it in client-side code, or share it in screenshots. Store it in an environment variable or secret manager.

Rotate if leaked

API keys are issued during onboarding. There is no self-serve rotation in the API today - contact [email protected] or your account manager to rotate a key. The old key is revoked once a new one is issued.

Server-side only

Call the API from your backend, never from a browser or mobile app.

Errors

A missing or invalid key returns 401 Unauthorized: Header omitted
Wrong or revoked key
See Errors for the full error catalogue.