API Reference
Start typing to search…

Authorization


Vendy authenticates your API requests using your permanent Access Key and Secret Key. All API requests must be made over HTTPS. This method is used to simplify integration by removing the need to generate and refresh temporary tokens, and requests made over plain HTTP will fail.

How to Authenticate

Vendy uses HTTP Basic Authentication, a standard scheme for sending credentials. You will use your AccessKey as the username and your SecretKey as the password.

KeyDescription
AccessKeyYour unique public identifier, found in the Settings page of your Vendy dashboard.
SecretKeyYour private credential. Never share this key, as it is found in the Settings page of your Vendy dashboard.

Example Request

Here is an example using curl to make an authenticated request.

# 1. Your keys
ACCESS_KEY="YOUR_ACCESS_KEY"
SECRET_KEY="YOUR_SECRET_KEY"

curl -X GET "https://api.myvendy.com/your-endpoint" \
  -H "AccessKey: $ACCESS_KEY" \
  -H "SecretKey: $SECRET_KEY" \
  -H "Content-Type: application/json"

Server and Response Behavior

All requests must be sent server-to-server, and your app or website should never communicate directly with Vendy APIs, as this would expose your Secret Key.

  • If you are authorized, the resource server will return the requested information with a 2xx status code.
  • If your credentials are incorrect or you are not authorized, the server will return a 4xx error message.

Protecting Your API Keys

Your AccessKey and SecretKey provide direct, permanent access to your account and should be protected with the same level of security as your main account password. Anyone with your keys can perform constructive and destructive actions, including initiating withdrawals and modifying account data.

Follow these best practices to keep your keys secure :

  • Do not store API keys in your application's source control (e.g., Git, BitBucket).
  • If you use configuration files, keep them outside your version control system.
  • Do not embed API keys directly in your code; use environment variables or a secrets management service to inject them at runtime .
  • Limit employee access to production API keys to only necessary personnel.
  • Do not expose your keys in client-side code (e.g., JavaScript in a web browser). All API calls must originate from a secure backend server.