x-api-key header.
Each key is scoped to a single partner account. Your egress IP must also be whitelisted
before you can reach the API — use GET /ping to confirm connectivity once both are in place.
Your secret API key. Sent on every request.
Sandbox vs production
You receive two keys during onboarding. Sandbox runs against test data; production is live.Pre-release: Base URLs below are placeholders during the pre-release period. Your
account manager will confirm the final endpoints when your keys are issued.
| Environment | Base URL | Key prefix |
|---|---|---|
| Sandbox | https://sandbox.kalixo.io/v2 | kal_test_… |
| Production | https://api.kalixo.io/v2 | kal_live_… |
Keeping your key safe
Rotate if leaked
API keys are issued during onboarding. There is no self-serve rotation in the API today -
contact [email protected] or your account manager
to rotate a key. The old key is revoked once a new one is issued.
Server-side only
Call the API from your backend, never from a browser or mobile app.
Errors
A missing or invalid key returns401 Unauthorized:
Header omitted