Authentication

All REST API requests require a secret API key in the Authorization header. Keys are scoped to a workspace and environment (live or sandbox).

API key format

decl_live_sk_* — production data
decl_sandbox_sk_* — test data, safe for development

Request header

http

Authorization: Bearer decl_live_sk_your_secret_key
Content-Type: application/json
Accept: application/json

Base URL

SDKs default to https://dev.declined.io/api. In local development, point baseUrl at your app URL with the /api prefix, e.g. http://localhost:3000/api.

Creating keys

Generate keys from the Declined dashboard → Webhooks & SDK → API Keys. Keys are shown once at creation; store them securely. Rotate compromised keys immediately.

Permissions

API keys inherit the permissions assigned when created. Keys without analytics or recovery permissions receive 403 responses on restricted endpoints.

Error responses

json

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key"
  }
}