Every API request must include your API key in the x-api-key header.
curl -H "x-api-key: sk_prod_your_key_here" \
"https://api.palcards.ps/user/profile"
The x-api-key header
| Header name | x-api-key |
| Value | your full key, e.g. sk_prod_… (80 characters) |
| Base URL | https://api.palcards.ps (production) · https://api-sandbox.palcards.ps (sandbox) |
Content-Type |
application/json for requests with a JSON body |
Do not use Authorization: Bearer … — that header is for the dashboard, not for API keys. For sandbox vs production, see Sandbox & production.
IP allowlist (important)
Requests are only accepted from the exact IP addresses on the key's allowlist:
- A key with an empty allowlist is blocked — every request fails.
- Only exact IPv4 addresses are matched — ranges / CIDR are not supported.
- Add every server IP that will send requests (see Create & manage your API key).
If your server's public IP changes, update the key's allowlist in the panel.
When authentication fails
If the key is missing, wrong, inactive, or the request comes from an IP that is not on the allowlist, the API responds with HTTP 401 Unauthorized. Check that:
- The
x-api-keyheader is present and the full key is correct. - Your server's current public IP is on the key's allowlist.
- The key has not been deleted.
Keep your key safe
- Treat the key like a password; never embed it in client‑side or public code.
- Store it in a secret manager or an environment variable.
- If it is exposed, delete the key in the panel and create a new one.