Authentication

All Merchant API requests are authenticated using an API key passed in the request header.

API key

Include your API key in every request using the X-Api-Key header:

curl -X POST https://api.ecca-ex.com/api/v1/create-invoice \
  -H "Content-Type: application/json" \
  -H "X-Api-Key: your_api_key_here" \
  -d '{ ... }'

Required headers

Header	Required	Description
`X-Api-Key`	Yes	Your merchant API key
`Content-Type`	Yes	Must be `application/json` for POST requests

Obtaining an API key

Navigate to Settings → API Keys.

Click Generate new key. The key is displayed only once — copy and store it securely.

Each API key is tied to a specific merchant account. You can generate multiple keys and deactivate them independently.

Security best practices

Your API key grants full access to your merchant account. Treat it like a password.

Never expose API keys in client-side code (JavaScript, mobile apps)
Never commit API keys to version control (Git, SVN)
Store keys in environment variables or a secrets manager
Use separate keys for development / staging / production
If a key is compromised, rotate it immediately in your dashboard — the old key will be deactivated instantly

Authentication errors

If authentication fails, the API returns one of these errors:

HTTP	Code	Description
401	`API_KEY_MISSING`	`X-Api-Key` header is missing or empty
403	`API_KEY_INVALID`	API key is invalid or deactivated
403	`OWNER_BLOCKED`	Merchant account owner is blocked
403	`MERCHANT_BLOCKED`	Merchant account is banned
403	`MERCHANT_NOT_ACTIVE`	Merchant account is not yet activated

Example error response:

{
  "successful": false,
  "request_id": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
  "error": {
    "code": "API_KEY_INVALID",
    "message": "Invalid or inactive API key"
  }
}

These errors can occur on any endpoint. If you receive a 401 or 403, check your API key before investigating further.

Was this page helpful?

Last updated today

Built with Documentation.AI