API Key Authentication

All Stableyard API requests require authentication via the x-sdk-key header.

Getting Your API Key

Contact us to request API access: You’ll receive:
  • Sandbox API key for testing
  • Production API key after review

Using Your API Key

Include the x-sdk-key header in all requests: 
curl -X GET https://api.stableyard.fi/sdk/v1/get-user?userId=user_123 \
  -H "x-sdk-key: YOUR_API_KEY" \
  -H "Content-Type: application/json"

Request Headers

HeaderRequiredDescription
x-sdk-keyYesYour API key
Content-TypeFor POST/PUTapplication/json
OriginFor CORSYour domain

Security Best Practices

Never expose your API key in client-side code.API keys should only be used server-side. For client-side applications, proxy requests through your backend.

Do

  • Store API keys in environment variables
  • Use server-side code to make API calls
  • Rotate keys periodically
  • Use different keys for sandbox/production

Don’t

  • Commit API keys to version control
  • Include keys in client-side JavaScript
  • Share keys across applications
  • Use production keys in development

Environment Variables

# .env file
STABLEYARD_API_KEY=your_api_key_here
STABLEYARD_ENV=sandbox  # or 'production'

const apiKey = process.env.STABLEYARD_API_KEY;

Environments

EnvironmentBase URLPurpose
Sandboxhttps://sandbox.api.stableyard.fiTesting and development
Productionhttps://api.stableyard.fiLive transactions

Error Responses

Missing API Key

{
  "success": false,
  "error": "Missing x-sdk-key header",
  "requestId": "uuid"
}
Status Code: 401

Invalid API Key

{
  "success": false,
  "error": "Invalid API key",
  "requestId": "uuid"
}
Status Code: 401

Rate Limited

{
  "success": false,
  "error": "Rate limit exceeded",
  "requestId": "uuid"
}
Status Code: 429

CORS Configuration

For browser-based requests, ensure your origin is whitelisted. Contact support to add domains to your allowlist.

IP Whitelisting

Enterprise customers can restrict API access to specific IP addresses. Contact support to configure IP whitelisting.

Key Rotation

To rotate your API key:
  1. Request a new key from support
  2. Update your application with the new key
  3. Confirm the old key should be revoked
  4. Old key is deactivated
Key rotation can be performed without downtime by supporting multiple keys temporarily during the transition.
Next: See Register — create a new Money Account.