Learn how to authenticate your connection to the Bloc API

The first thing to do when getting started with the Bloc API is to find your API keys.

We require all API calls to include their API key in the authorisation header. We use API keys to verify where an API call is coming from, and without it, you cannot do anything with the Bloc API.



Any invalid, missing or wrong API key will return 401 Unauthorised responses.

Finding your API keys

To find your API keys, sign into the Bloc Dashboard. Go to Settings β†’ Developer, and you'll find two types of keys β€” a Public Key and a Secret Key.



You can generate a new set of API keys by clicking on Generate new key on the Developer settings page.

Public Key vs Secret Key

1. Public Key

Your public key is the identifier for your organisation account and is used to authenticate requests made to our APIs. It is safe to be shared and transmitted over insecure channels. They are meant to be used on your front end when integrating any of our client-side widgets.

Please note, public keys cannot modify any changes to your account except for initiating transactions with you.

2. Secret Key

On the other hand, your secret key is a secure string that should never be shared or transmitted, and is used to sign API requests to our system. This is what identifies the organisation and provides access to your account.

Remember, your secret key should be kept confidential and never shared publicly or transmitted in a way that can be intercepted by a third party. Make sure to generate and store your secret keys securely, and ensure that they are rotated regularly.

Authenticating your API Call

Include an authorisation header in the following format:

Authorization: Bearer sk_test_6308e29146f951****291b3dd632



When adding to your code, replace the "sk_test_6308e29146f951****291b3dd632" with your own secret key.

Common errors to avoid

Here are a list of things to look out for if you're getting 401 Unauthorised error responses.

  1. You're using an old/former API key: Whenever you generate a new key, always make sure to check your integration and update your keys to keep your connection active.
  2. You're using the wrong key: A public key will not work in place of a secret key. A good way to know if you're using the right type of key is to look at the first two letters of the string. pk means it's a public key, while sk means it's a secret key.
  3. Your key is typed in wrongly: It is usually advised to never type in your API keys letter after letter. You're prone to mistakes. Make sure to just copy and paste it into wherever you need it to be.
  4. You're in the wrong environment: API keys on Test Mode are treated differently from API keys on the Live Mode. Confirm that you're using the right API keys for the environment you're on.