Skip to main content
The Developer API uses a two-step credential model: a long-lived API key for token exchange, and a short-lived access token on every API request.

Overview

  [1] Create API key          Incard dashboard (shown once)
  [2] Exchange for token      POST /auth/v1/.../token  { api_key }
  [3] Call Developer API      Authorization: Bearer <access_token>
CredentialLifetimeUsed for
api_keyUntil revokedToken exchange only
access_token~15 minutesDeveloper API requests
API keys are environment-specific. Sandbox keys start with sk_sandbox_; live keys start with sk_live_. Use the matching environment for both token exchange and API calls.

Environments

EnvironmentBase URLToken endpoint
Sandboxhttps://api-nonprod.incard.comPOST /auth/v1/sandbox/token
Livehttps://api.incard.comPOST /auth/v1/token
Use sandbox while integrating. Gateway paths are relative to the base URL (for example GET /developer/companies).

Create an API key

Any active member of your company can create keys from the Incard dashboard. Choose sandbox or live when creating the key. The full secret is shown once at creation. Store it in a secrets manager or environment variable — you cannot retrieve it again. Listing keys in the dashboard shows only a prefix for identification. Key limits per company: up to 5 active sandbox keys and 5 active live keys.

Exchange for an access token

Exchange your API key for a short-lived access token before calling the Developer API. Send the key in the request body:
curl -sS -X POST "https://api-nonprod.incard.com/auth/v1/sandbox/token" \
  -H "Content-Type: application/json" \
  -d '{"api_key": "sk_sandbox_YOUR_KEY"}'
Response:
{
  "access_token": "<opaque-token>",
  "expires_at": "2026-05-28T14:43:58.000Z"
}
Cache the access_token and refresh it before expires_at. Do not send your API key on Developer API requests — only on the token endpoint.
Never log, commit, or expose API keys or access tokens. Use HTTPS for all requests.

Call the Developer API

Send the access token as a Bearer credential on every request:
curl -sS "https://api-nonprod.incard.com/developer/companies" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
When the token expires, exchange your API key again for a new one.

Permissions

An API key is tied to the member who created it and the company active at creation time. What that member can do on the Developer API follows the same role-based rules as in the Incard product. Permissions are determined by the member’s company role. An owner can access every endpoint their company is entitled to; an employee has the most restricted access. Create keys with a role that has the permissions your integration needs. If the authenticated principal lacks permission for an endpoint, the API returns 403 Forbidden.

Revoke a key

Revoke keys from the Incard dashboard when they are no longer needed or may be compromised. Revoked keys cannot be used to obtain new access tokens. Outstanding access tokens remain valid until they expire.