Authentication

Create & manage your API key

API keys are created and managed by you, in the PalCards dealer panel. A key is tied to your dealer account — anyone who has it can act as you — so treat it like a password. Create a key 1. Sign in to the PalCards dealer panel at https://cp.palcards.ps. 2. Open API keys ("مفاتيح API") from the sidebar. 3. Click Create new key ("إنشاء مفتاح جديد"). 4. Fill in: - Key name ("اسم المفتاح") — a label so you can recognise it later, e.g. Production server. Required (min. 3 characters). - Allowed IP list ("قائمة IP المسموحة") — the public IP address(es) your requests will come from, comma‑separated. Required in practice: a key with an empty allowlist is blocked from every request ("جميع الطلبات محظورة"). 5. Click Create ("إنشاء"). The full key is shown once — copy it now and store it securely. You will not be able to see it again ("لن تتمكن من رؤيته مرة أخرى"). The key looks like this (80 characters): sk_prod_1a2b3c4d… Manage your keys The API keys table shows, for each key: a masked prefix, the allowed IPs, the created date, and the last‑used date. You can: - Edit — change the key's name or its allowed IP list. - Delete — immediately revoke the key. Deletion is the revoke action; there is no separate "disable". The secret part of a key cannot be regenerated. If a key is lost or leaked, delete it and create a new one. Rules to remember - IP allowlist is mandatory. Only exact IPv4 addresses are accepted — no ranges / CIDR. List every server IP that will call the API. - One‑time secret. The full key is shown only at creation. - Dealer‑only. API keys are available on dealer accounts. - Keys can't mint keys. API keys are created interactively in the panel only — there is no API endpoint to create one, and an API key cannot create another key. Next: Authenticating requests.

Authenticating requests

Every API request must include your API key in the x-api-key header. curl -H "x-api-key: sk_prod_your_key_here" \ "https://api.palcards.ps/user/profile" The x-api-key header | | | |---|---| | Header name | x-api-key | | Value | your full key, e.g. sk_prod_… (80 characters) | | Base URL | https://api.palcards.ps (production) · https://api-sandbox.palcards.ps (sandbox) | | Content-Type | application/json for requests with a JSON body | Do not use Authorization: Bearer … — that header is for the dashboard, not for API keys. For sandbox vs production, see Sandbox & production. IP allowlist (important) Requests are only accepted from the exact IP addresses on the key's allowlist: - A key with an empty allowlist is blocked — every request fails. - Only exact IPv4 addresses are matched — ranges / CIDR are not supported. - Add every server IP that will send requests (see Create & manage your API key). If your server's public IP changes, update the key's allowlist in the panel. When authentication fails If the key is missing, wrong, inactive, or the request comes from an IP that is not on the allowlist, the API responds with HTTP 401 Unauthorized. Check that: 1. The x-api-key header is present and the full key is correct. 2. Your server's current public IP is on the key's allowlist. 3. The key has not been deleted. Keep your key safe - Treat the key like a password; never embed it in client‑side or public code. - Store it in a secret manager or an environment variable. - If it is exposed, delete the key in the panel and create a new one.