Skip to main content
Every request to the PIK API must be authenticated using an API key. Your API key identifies your platform and authorises PIK to process requests on your behalf. Keep your API keys secure — treat them like passwords.

API keys

PIK uses bearer token authentication. Include your API key in the Authorization header of every request. Authorization: Bearer YOUR_API_KEY Production key — Used for live transactions that move real funds. Generated from PIK Dashboard under Settings > API Keys > Production. Sandbox key — Used for testing only. Transactions are simulated and never move real funds. Generated from PIK Dashboard under Settings > API Keys > Sandbox. Never use your production key in a test environment. Never use your sandbox key in production. Keep both keys out of client-side code, public repositories, and logs.

Acting on behalf of connected accounts

Include the x-on-behalf-of header alongside your Authorization header when making calls on behalf of a connected account. Authorization: Bearer YOUR_PLATFORM_API_KEY x-on-behalf-of: CONNECTED_ACCOUNT_ID Without x-on-behalf-of, the request is scoped to your platform account. With it, the request is scoped to the specified connected account.

Key rotation

PIK supports multiple active API keys simultaneously. To rotate without downtime: Step 1 — Generate a new key in the PIK Dashboard. Step 2 — Update your application to use the new key. Step 3 — Verify requests are succeeding with the new key. Step 4 — Delete the old key from the PIK Dashboard.

Authentication errors

401 Unauthorized — API key is missing, invalid, or has been deleted. 403 Forbidden — Key is valid but the requested action is not permitted. The connected account capability may not be activated or the account is not verified.