Skip to main content

API Key Authentication

All requests require an API key passed as a bearer token in the Authorization header: 
curl 'https://api.sbx.moduluslabs.io/ecom/v1/checkout' \
  -H 'Authorization: Bearer sk_test_your_api_key_here'
API keys are provisioned during merchant onboarding. Contact your account manager to request keys.
EnvironmentKey PrefixDescription
Productionsk_live_Live transactions, real money
Sandboxsk_test_Test transactions, no real charges
Keep your API keys secret. Do not expose them in client-side code, public repositories, or browser applications. Requests without a valid key receive a 401 invalid_api_key response.

Entity Scoping

Every API key is scoped to an entity in the organization hierarchy. Data access is automatically restricted based on your key’s level.
Key LevelAccess
PartnerAll merchants and branches under the partner
MerchantAll branches under the merchant
BranchOnly that branch
When you create a payment link, partner- and merchant-scoped keys must specify a merchant_branch_reference_number. Branch-scoped keys can omit it — the link is created against that branch automatically.

Idempotency

The Idempotency-Key header is a unique client-generated identifier using letters, digits, dot (.), hyphen (-), and underscore (_), 8–64 characters. Clients often reuse their own order_reference as the key.
  • POST /checkout (create a payment link) — required
  • POST /checkout/{id}/cancel (cancel a payment link) — optional; cancel is idempotent by nature, so a key is accepted but not required
If you send the same idempotency key with the same request body, you receive the original response without creating a duplicate. If you send the same key with a different body, you receive a 409 idempotency_mismatch error.
Idempotency keys expire after 24 hours. Generate a fresh key for each distinct operation.

Request headers

HeaderRequiredDescription
AuthorizationAlwaysBearer sk_live_... or Bearer sk_test_...
Content-TypePOST, PATCHapplication/json
Idempotency-KeyRequired on POST /checkout; optional on POST /checkout/{id}/cancelUnique client-generated ID. Letters, digits, ., -, _; 8–64 characters

Response headers

Every response includes:
HeaderDescription
x-correlation-idUnique request identifier (UUID v4). Include this in support requests.
X-RateLimit-LimitMaximum requests allowed per minute for this endpoint
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix timestamp when the rate limit window resets

Rate limits

Requests are rate-limited per API key per endpoint.
EndpointLimit
POST /checkout60 requests/minute
GET /checkout120 requests/minute
GET /checkout/{id}120 requests/minute
PATCH /checkout/{id}60 requests/minute
POST /checkout/{id}/cancel60 requests/minute
When rate limited, the API returns a 429 rate_limited response. Check the Retry-After header for the number of seconds to wait before retrying.