Authentication
Merchant integrations authenticate with an API key in the X-Api-Key header.
curl -X POST https://fincobra.com/api/checkout/invoices \
-H "X-Api-Key: fc_live_abc123..." \
-H "Content-Type: application/json" \
-d '{
"amountUsd": 49.99,
"merchantReference": "order_123"
}'Generate an API key
Create and manage API keys from the FinCobra dashboard.
- Open the Checkout dashboard.
- Go to Checkout settings.
- Generate an API key.
- Copy the raw key immediately.
- Store it in your server-side environment or secret manager.
API keys are prefixed with fc_live_. The raw key is shown once at creation time and cannot be retrieved later. FinCobra stores only a SHA-256 hash of the key.
WARNING
Do not put API keys in browser code, mobile apps, public repositories, or client-side environment variables. Use them only from your server.
Available API
API keys are integration credentials. They can create invoices and read known invoice data:
| Method | Path | Description |
|---|---|---|
POST | /api/checkout/invoices | Create an invoice |
GET | /api/checkout/invoices/:id | Get invoice detail |
GET | /api/checkout/invoices/:id/status | Get invoice status |
API keys cannot list all invoices or change Checkout configuration. Store the invoice id returned by POST /api/checkout/invoices with your order, then use that known id for later lookups. Checkout configuration, payment methods, webhook settings, exports, exception review, and key rotation are handled in the FinCobra dashboard.
Rate Limits
API-key-authenticated checkout requests are limited to 100 requests per minute from the same client. This applies to invoice create, invoice detail, and invoice status calls made with the X-Api-Key header.
If you exceed the limit, the API returns HTTP 429 with a human-readable error message. Retry after the time shown in the error response.
Errors
Requests without an API key or dashboard session return HTTP 401:
{
"error": "Missing API key or session"
}Invalid API keys also return HTTP 401:
{
"error": "Invalid API key"
}