Skip to main content

API Keys

All API requests require authentication using Bearer tokens. Include your API key in the Authorization header of every request. 
Authorization: Bearer sk_live_xxxxxxxxxxxx

Key types

Bipa provides two types of API keys:
PrefixEnvironmentPurpose
bipa_live_sk_ProductionReal transactions with real money
bipa_test_sk_SandboxTesting and development
Never expose your API keys in client-side code, public repositories, or logs. Treat them like passwords.

Making authenticated requests

Include your API key in the Authorization header: 
curl https://api.bipa.tech/v1/customers \
  -H "Authorization: Bearer bipa_live_sk_xxxxxxxxxxxx" \
  -H "Content-Type: application/json"

Obtaining API keys

  1. Log in to your Bipa Console
  2. Navigate to DevelopersAPI Keys
  3. Click Create new key
  4. Copy your key immediately — it won’t be shown again
You can create multiple API keys for different services or environments. Each key can be revoked independently.

Sandbox environment

The sandbox environment uses the same base URL but with test API keys: 
curl https://api.bipa.tech/v1/customers \
  -H "Authorization: Bearer sk_test_xxxxxxxxxxxx"
In sandbox mode:
  • No real money is moved
  • Pix payments are simulated
  • Trades execute with test balances
  • Webhooks are delivered normally

Authentication errors

If authentication fails, you’ll receive a 401 Unauthorized response: 
{
  "error": {
    "type": "authentication_error",
    "code": "invalid_api_key",
    "message": "The API key provided is invalid or has been revoked.",
    "doc_url": "https://docs.bipa.tech/errors#invalid_api_key"
  }
}
Common authentication issues:
Error CodeCauseSolution
invalid_api_keyKey doesn’t exist or is malformedCheck the key format and copy it again
revoked_api_keyKey has been revokedGenerate a new key in the console
missing_authorizationNo Authorization headerInclude the header in your request

Security best practices

Store API keys in environment variables, not in code:
export BIPA_API_KEY=sk_live_xxxxxxxxxxxx

import os
api_key = os.environ.get("BIPA_API_KEY")
Create new keys periodically and revoke old ones. This limits the impact if a key is compromised.
Create different API keys for different services or environments. This makes it easier to revoke access if needed.
Review your API logs in the console regularly to detect unusual activity.

IP allowlisting

For additional security, you can restrict API key usage to specific IP addresses:
  1. Go to DevelopersAPI Keys in the console
  2. Select the key you want to restrict
  3. Add allowed IP addresses or CIDR ranges
IP allowlisting is optional but recommended for production environments.