Authentication
API Keys
Every API request requires an API key passed as a Bearer token:
Authorization: Bearer sk_test_your_key_hereThe SDK handles this automatically — pass your key to the constructor.
Base URL
All requests use the same base URL:
https://gateway.useyona.com
Your key prefix determines the environment:
| Prefix | Environment | Behavior |
|---|---|---|
sk_test_* | Sandbox | Invoices NOT submitted to tax authority. Safe for testing. |
sk_live_* | Production | Invoices ARE submitted. Irreversible. |
See Sandbox vs Production for details.
Organization Scoping
API keys are scoped to the organization that created them. A key can only access data belonging to its organization.
const client = new EInvoice({ apiKey: 'sk_test_org123_key' });This key can only access data belonging to 9f8e7d6c-5b4a-3210-fedc-ba9876543210. It cannot read or write data from other organizations, even parent or sibling orgs.
Creating API Keys
Create keys from the dashboard or programmatically via the API:
The raw key is returned only once in the response. It cannot be retrieved again after this.
Key Rotation
Rotate a key to generate a new one and deprecate the old:
The old key has a deprecation grace period.
See SDK — Usage Examples for the programmatic interface.
Security Best Practices
- Never expose keys in client-side code. API keys are server-side only.
- Use environment variables. Don’t commit keys to source control.
- Use test keys for development. Switch to live keys only in production.
- Rotate keys periodically. The
rotate()method provides a grace period. - Revoke compromised keys immediately.
revoke()is irreversible. - Use scoped keys. Assign roles with minimal permissions.
Error Responses
| Scenario | Status | Error Code | Message |
|---|---|---|---|
| Missing API key | 401 | AUTH004 | Unauthorized |
| Invalid API key | 401 | AUTH001 | Invalid credentials |
| Expired API key | 401 | AUTH002 | Token expired |
| Key lacks permission | 403 | AUTH005 | Forbidden |