The Defacto API utilises API keys to authenticate requests.

In particular, authentication to the API is performed via HTTP Bearer Authentication (also called token authentication).

So, to perform an authenticated API call, you must set the Authorization header of your HTTP request to Bearer <YOUR_API_KEY>.

In this page, we guide through getting an Defacto API key and making your first authentication request.

Getting an API Key

The Defacto web application must be used to get an API key (sandbox here or production here). If this is your first time here, open the sandbox link.


Sandbox and production use distinct API keys

We generate different API keys and use two distinct accounts for the sandbox and production. So, be careful to use your API key with the right environment.

The below screenshot shows how to access the Settings section where you can get an API key.


Accessing the settings menu

On the settings page, you will be able to get your first API key by clicking the Create API Key button (see example below).

Click the three dots on the right and Copy token. Then, come back to this guide.


Settings page containing the API keys


API Key management on the Defacto Web Application

From the web application you can:

  • View and manage your API keys in the Settings menu.
  • Create an API key by using the Create API Key button.
  • Revoke API keys in the actions column next to the API key you wish to revoke.

Your first authenticated API call

The API key that you just got should look like this:

Open the /hello page in a new tab, write Bearer in the authentication header section, followed by a space, and then paste your newly created API key. After that, click the Try it button.


You will see a welcoming message as a response. Congratulations!!! πŸ₯³ You just did your first authenticated API call with the Defacto API.

Using the API key for programmatic API calls

To perform an authenticated API call programmatically, you must set the Authorization header of your HTTP requests to Bearer <YOUR_API_KEY>. This is very similar to what we just did from the documentation.

Example with curl:

curl --location --request GET '' -H 'Authorization: Bearer <API_KEY>'



Bearer authentication should only be used over HTTPS (SSL). API requests without authentication will fail and return a 401 HTTP code.

Now, you should be ready to integrate with our API.

Keep your API keys secure!



API keys carry many privileges, so keep them secure! Do not share your secret API keys in publicly accessible areas.