Authentication
The PalPluss API uses HTTP Basic Auth with your API key. Every request must include
a valid API key — there are no public endpoints.
API keys
API keys are created and managed from the PalPluss dashboard under Settings → API Keys.
Each key:
- Is scoped to a single account (tenant)
- Can be revoked at any time from the dashboard
- Does not expire automatically — rotate keys manually as part of your security practice
Treat API keys like passwords. Never commit them to source control or expose
them in client-side code. Use environment variables or a secrets manager.
Sending requests
Set your API key as the Basic Auth username with an empty password:
curl https://api.palpluss.com/v1/wallets/service/balance \
-u "pk_live_xxxxxxxxxxxxxxxxxxxx:"
Authorization header value is:
Note the trailing colon — this encodes an empty password in Basic Auth format.
Authentication errors
| Code | HTTP | Reason |
|---|
INVALID_API_KEY | 401 | Key not found, revoked, or malformed header |
TENANT_INACTIVE | 401 | The account associated with this key is suspended |
{
"success": false,
"error": {
"message": "Invalid or revoked API key.",
"code": "INVALID_API_KEY",
"details": {}
},
"requestId": "c1b2a3d4-e5f6-7890-abcd-ef1234567890"
}
Rate limiting
Requests are limited to 60 per minute per API key. Rate limit headers are included
on every response:
| Header | Description |
|---|
x-ratelimit-limit | Maximum requests per minute (always 60) |
x-ratelimit-remaining | Requests remaining in the current window |
x-ratelimit-reset | Unix timestamp when the window resets |
Retry-After | Seconds to wait (only on 429 responses) |
429 with error code RATE_LIMIT_EXCEEDED.
Wait for the number of seconds in Retry-After before retrying.
Key rotation best practices
- Rotate keys periodically (every 90 days is a common baseline).
- When rotating, create the new key first, update your application, then revoke the old key.
- Use separate keys for different environments (staging, production).
- Never reuse keys across multiple services — issue one key per integration.
