Authentication
All API requests require authentication using an API key, but the important decision is not just how to send the header. It is which key type and environment match your product model.
API Keys
You’ll find your API keys in the dashboard.
Choose The Right Key First
| Key | Prefix | Best for | Access scope |
|---|---|---|---|
| Account key | sk_* | Backend services, platforms, multi-entity control | One account, potentially many entities |
| Entity key | ek_* | Isolated per-business access, customer-facing integrations | One entity only |
Choose The Right Environment
| Environment | Prefix example | Use it when |
|---|---|---|
| Sandbox | sk_sandbox_*, ek_sandbox_* | You are building, testing, demoing, or validating flows |
| Live | sk_live_*, ek_live_* | You are ready to issue real documents and operate in production |
Using Your API Key
Include your API key in the Authorization header:
curl https://eu.spaceinvoices.com/entities \
-H "Authorization: Bearer YOUR_API_KEY"Or with the SDK:
import SpaceInvoices from "@spaceinvoices/js-sdk";
const _sdk = new SpaceInvoices("YOUR_API_KEY");Account Key vs Entity Key
Use an account key when your backend needs to:
- create or manage entities
- switch across multiple customer businesses
- act as the control plane for a platform, marketplace, fintech, or accounting product
Use an entity key when you want one business context only:
- embedded customer-facing integrations
- tenant-isolated access
- simpler setups where one key should never move across entities
This is the most common split:
- platform backend: account key
- one tenant-facing integration or embedded UI: entity key
Environment Separation
Sandbox and live are completely separate:
- different API keys
- different data
- different entities
- no cross-contamination between test and production flows
// Development
const _sdk = new SpaceInvoices(process.env.SI_SANDBOX_KEY);
// Production
const sdk = new SpaceInvoices(process.env.SI_LIVE_KEY);Sandbox Behavior
The sandbox mirrors the production API model while keeping risk low.
| Aspect | Sandbox | Live |
|---|---|---|
| Data | Separate test data | Production data |
| API endpoints | Same base URL | Same base URL |
| Keys | Sandbox prefixes | Live prefixes |
| Fiscalization | Test servers where applicable | Real authority servers |
| Restricted test behavior | Real delivery behavior |
Use sandbox for development, integration testing, demos, and first-value validation.
Key Rotation
To rotate your API key:
- Generate a new key in the dashboard
- Update your application to use the new key
- Revoke the old key once confirmed working
Rate Limits
| Environment | Requests/minute |
|---|---|
| Sandbox | 60 |
| Live | 850 |
When you exceed the rate limit, the API returns 429 Too Many Requests.
Recommended Defaults
- start with a sandbox account key if you are still exploring
- move to entity keys only when you need tenant-isolated access
- keep live keys out of development environments
- decide user access separately from API access
If your end users need dashboard access, continue to User Access.
Security Best Practices
- Store keys securely — Use environment variables or a secrets manager
- Use different keys per environment — Never use production keys in development
- Rotate regularly — Rotate keys at least quarterly
- Monitor usage — Set up alerts for unusual API activity
- Restrict access — Only give team members the access they need