API Reference
Login
Start typing to search…

Authentication

The Confirmo API uses API keys as its sole authentication mechanism. These private, merchant-specific keys enable secure access to invoices and settlements outside the user interface.

API key management

Create and manage API keys through the Confirmo user interface:

  1. Log in to your Confirmo account
  2. Navigate to Settings
  3. Access the API keys section
  4. Generate a new API key

Upon creation, the API key token appears for a limited time only.

Each token grants full read/write access to your account and follows the default validity rules (below).

Important security notice: Store your API key securely. Never share it with a 3rd party. Store it reliably; we can't provide you with the same API key later as we don't hold it in an accessible form (for security reasons). Follow as many as possible from the best practices described below.

API key validity

The default validity of API keys is one year. The remaining validity of the existing API keys is visible at the API key settings. You're going to be notified about the expiration of the API key:

  • 3 months in advance at the dashboard.
  • 2 months in advance and then multiple times (if there's no action on your side) via email notifications.

We're working on further security improvements to protect your API keys as much as possible.

API key best practices

Securing your API keys is critical to protecting your account. Follow these industry-standard security practices:

  • Never embed API keys in source code: API keys in source code risk accidental exposure. Instead, use environment variables or configuration files outside your application's source directory.
  • Keep API keys outside source control: Store key files outside your application's source tree to prevent them from being committed to source control systems, especially public repositories like GitHub.
  • Implement IP restrictions: Limit which IP addresses can use each key to minimize impact if a key becomes compromised.
  • Conduct security reviews: Thoroughly check code for API keys or other credentials before making it publicly accessible.

API key usage

Every API request must include an Authorization header containing a valid API key token:

curl https://confirmo.net/api/v3/invoices -H 'Authorization: Bearer {YOUR_API_KEY}'