Authentication
All API requests must include your API key in the Api-Key header.
API Keys
API keys are scoped to your organization and can be created in the Dashboard.
| Environment | Key Prefix | Description |
|---|
| Sandbox | lk_test_ | For testing and development |
| Production | lk_live_ | For live transactions |
Security Best Practices
- Never expose API keys in client-side code
- Don’t commit keys to version control
- Rotate keys periodically
- Use separate keys for development and production
Making Authenticated Requests
Include your API key in the Api-Key header:
curl https://api.ledger.so/v1/agents \
-H "Api-Key: lk_test_your_api_key"
Error Responses
Missing API Key
{
"error": "Missing Api-Key header"
}
401 Unauthorized
Invalid API Key
{
"error": "Invalid API key"
}
401 Unauthorized
Expired API Key
{
"error": "API key expired"
}
401 Unauthorized
Rate Limits
API requests are rate-limited per organization:
| Operation | Rate | Burst |
|---|
| Read (GET) | 100/min | 20 |
| Write (POST/PATCH/DELETE) | 30/min | 10 |
| Card Creation | 10/min | 5 |
{
"error": "Rate limit exceeded",
"retryAfter": 5000
}
429 Too Many Requests
Headers:
Retry-After: Seconds until you can retry
Managing API Keys
Create a Key
- Go to Dashboard
- Navigate to Settings > API Keys
- Click Create Key
- Name your key and set expiration (optional)
- Copy the key immediately (it won’t be shown again)
Revoke a Key
- Go to Settings > API Keys
- Find the key you want to revoke
- Click Revoke
Revoking a key is immediate and permanent. Any requests using that key will fail.
Environments
| Environment | Base URL |
|---|
| Sandbox | https://sandbox.ledger.so |
| Production | https://api.ledger.so |
Use sandbox for testing. No real charges are made and you can use test credentials.
