Authentication and Identification

Authenticate your account when using the API by including your secret API key in the request. You can manage your API key in Stax Bill's UI. Your API key carries many privileges. Do not share API keys in publicly accessible areas such GitHub or client-side code.

Creating an API Key

You must create and use an API Key to access the Stax Bill API.

  1. In the Stax Bill UI, navigate to Settings-> Integrations -> API Key.
  2. Click Create Key to generate an API key.

The generated key is shown in the boldface below. You will need to copy and paste this key into your authorization header inside your application.

Ensure you preface the key with the word Basic. For example:

Authorization: Basic MDpFSDl2RTBRNTZVYVJYdnZROE8wb2JpMzJsSDJPNXh0YlZneVRDN2o1d0NCbEEwamV6ZmhDMVNwd2t4U0paSW9q

Note to Existing customers whose API keys were generated by Stax Bill Support: Your keys will continue to work, though the value you are using in your integration code may not exactly match the value you see in the Admin UI on this page. This is due to some differences in the encryption of old vs. newly generated keys. We recommend you DO NOT regenerate a new key using the UI unless you ensure that the key is updated in your code at the same time.

Warning: You can delete or regenerate your key at any time, but be aware that any existing application code that accesses the Stax Bill API will immediately cease to function and will generate authorization errors until the key has been updated.

Authentication to the API is performed via HTTP Basic Auth. Provide your API key as the basic auth username value -H "Authorization: Basic YourAPIKeyHere" \. You do not need to provide a password.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail. TLS 1.2 is supported, and HTTP compression is encouraged.

Since most PUT, PATCH, and POST requests require a JSON body, these API calls require an additional header -H Content-Type: application/json.

Optionally, the special header -H "x-audit-source: customString" \ can be used to identify the source of the API call. When looking at the audit log report in the UI, any entry for a change via API will be marked as having the source "API" unless this header is used to override that string to something more useful. For example, if the API calls are coming from a registration page you can set x-audit-source to "API - Registration Page". This is the audit log as seen through the UI: