Authentication
Every API call carries a single shared secret — your API key — in the request body. The key identifies the calling account, applies its rate-limit tier, and scopes every action to that account's data only.
Where to put the key
Pass the key as the key field in the form-encoded request body. Header-based auth is not supported — the v2 spec uses body params for compatibility with existing reseller SDKs.
Content-Type: application/x-www-form-urlencoded
key=YOUR_API_KEY&action=services
Generating and rotating keys
Keys are generated and rotated from /dashboard/api. Each key is shown to you exactly once at creation time — the dashboard stores only the hashed prefix afterwards, so you cannot recover the raw value.
- Maximum 10 active keys per account. Old keys can be revoked individually.
- Regeneration revokes the old value immediately. Existing in-flight requests using the old key complete normally; new requests get an error.
- Re-authentication required: creating or rotating a key prompts for a fresh password. This is a deliberate friction point — keys are the highest-value secret an account holds.
What an API key can do
A v2 API key has the same surface area as the holder's logged-in dashboard session — it can place orders, query status, refill, cancel, read balance, and manage webhooks. It cannot:
- Withdraw or transfer balance.
- Change the account email, password, or 2FA settings.
- Generate or rotate other API keys.
- Access admin or moderation endpoints.
Security recommendations
- Server-side only. Never embed an API key in a browser bundle, mobile app, or any client another party can decompile.
- Use environment variables. Don't commit keys to git.
.env files belong in .gitignore. - Rotate on suspicion. If a key is exposed in a log, screenshot, or shared chat — even momentarily — regenerate immediately.
- Use webhooks instead of polling where possible. Polling status every few seconds burns through your rate limit; webhooks push updates only when something changes.