Basic Authentication
All Stableyard API requests require authentication via the Authorization header using HTTP Basic auth. You obtain your STABLEYARD_APP_ID and STABLEYARD_APP_SECRET from the Stableyard SDK.
There are two levels of authentication depending on the API category:
| API Category | Auth Format |
|---|
| Account APIs (register, get-user, update-username, etc.) | Basic base64(STABLEYARD_APP_ID:STABLEYARD_APP_SECRET) |
| Vault APIs (create-vault, deploy-role-module, get-balance) | Basic base64(STABLEYARD_APP_ID:STABLEYARD_APP_SECRET) |
| All other APIs (quote, settle, verify, resolve, KYC, etc.) | Basic base64(STABLEYARD_APP_ID) |
Getting Your Credentials
Contact us to request API access:
You’ll receive:
STABLEYARD_APP_ID — Your application identifierSTABLEYARD_APP_SECRET — Your application secret- Sandbox credentials for testing
- Production credentials after review
Using Your Credentials
Include the Authorization header with Basic auth in all requests.
Account & Vault APIs
These APIs require both STABLEYARD_APP_ID and STABLEYARD_APP_SECRET:
curl -X POST https://api.stableyard.fi/sdk/v1/register \
-H "Authorization: Basic $(echo -n $STABLEYARD_APP_ID:$STABLEYARD_APP_SECRET | base64)" \
-H "Content-Type: application/json" \
-d '{"username": "alice", "addresses": [{"address": "0x...", "chainType": "evm"}]}'
All Other APIs
These APIs require only STABLEYARD_APP_ID:
curl -X POST https://api.stableyard.fi/sdk/v1/quote \
-H "Authorization: Basic $(echo -n $STABLEYARD_APP_ID | base64)" \
-H "Content-Type: application/json" \
-d '{"userId": "user_123", "amount": 100, "destinationPaymentAddress": "merchant@stableyard"}'
| Header | Required | Description |
|---|
Authorization | Yes | Basic base64(STABLEYARD_APP_ID:STABLEYARD_APP_SECRET) for Account & Vault APIs; Basic base64(STABLEYARD_APP_ID) for all others |
Content-Type | For POST/PUT | application/json |
Origin | For CORS | Your domain |
Security Best Practices
Never expose your credentials in client-side code.Your STABLEYARD_APP_ID and STABLEYARD_APP_SECRET should only be used server-side. For client-side applications, proxy requests through your backend.
- Store
STABLEYARD_APP_ID and STABLEYARD_APP_SECRET in environment variables
- Use server-side code to make API calls
- Rotate credentials periodically
- Use different credentials for sandbox/production
Don’t
- Commit credentials to version control
- Include credentials in client-side JavaScript
- Share credentials across applications
- Use production credentials in development
Environment Variables
# .env file
STABLEYARD_APP_ID=your_app_id_here
STABLEYARD_APP_SECRET=your_app_secret_here
STABLEYARD_ENV=sandbox # or 'production'
const appId = process.env.STABLEYARD_APP_ID;
const appSecret = process.env.STABLEYARD_APP_SECRET;
const credentials = Buffer.from(`${appId}:${appSecret}`).toString('base64');
Environments
| Environment | Base URL | Purpose |
|---|
| Sandbox | https://sandbox.api.stableyard.fi | Testing and development |
| Production | https://api.stableyard.fi | Live transactions |
Error Responses
Missing Authorization
{
"success": false,
"error": "Missing Authorization header",
"requestId": "uuid"
}
Invalid Credentials
{
"success": false,
"error": "Invalid credentials",
"requestId": "uuid"
}
Rate Limited
{
"success": false,
"error": "Rate limit exceeded",
"requestId": "uuid"
}
CORS Configuration
For browser-based requests, ensure your origin is whitelisted. Contact support to add domains to your allowlist.
IP Whitelisting
Enterprise customers can restrict API access to specific IP addresses. Contact support to configure IP whitelisting.
Credential Rotation
To rotate your credentials:
- Request new credentials from support
- Update your application with the new
STABLEYARD_APP_ID and STABLEYARD_APP_SECRET
- Confirm the old credentials should be revoked
- Old credentials are deactivated
Credential rotation can be performed without downtime by supporting multiple credential pairs temporarily during the transition.
Next: See Register — create a new Money Account. 
