Skip to main content
Every request to the Rigaly API is authenticated with an API key in the Authorization header:

Keys

  • Keys are created in the business dashboard under Tools → API Management (up to 10 active keys per business).
  • The full key is shown once at creation. Rigaly stores only a hash — if you lose a key, roll it or create a new one.
  • Every key has full access to your business’s data and nothing else — keys never see other businesses.
  • last_used_at is tracked per key so you can spot unused keys.

Key lifecycle

Security best practices

Never embed keys in mobile apps, browser JavaScript, or public repositories. All calls should come from your backend.
Store keys in environment variables or a secret manager, not in code. The rgly_sk_ prefix makes accidental commits detectable by secret scanners.
Use separate keys for production and staging so you can revoke one without affecting the other.
Roll keys on a schedule (e.g. quarterly). Rolling is atomic — the new key works immediately.

Account requirements

API access is included for all approved businesses at no extra platform cost — pricing stays the same: your monthly subscription plus the per-transaction fee. Requests are rejected with 403 while an account is pending, blocked (payment issue), or suspended.