X-API-Key header scheme — pass your key as a plain header value, or use the official SDKs which handle this automatically. There are no OAuth flows, no token expiry windows, and no refresh tokens to manage.
API key format
AgriBackup API keys are prefixed to indicate their environment:| Prefix | Environment | Description |
|---|---|---|
sk_live_ | Production | Processes real compliance records, anchors on Hedera mainnet, and files to live TRACES NT |
sk_test_ | Sandbox | Fully isolated; no real blockchain transactions or EU system submissions |
POST /api/v1/enterprise/api-keys.
Passing your API key
Raw HTTP
Include the key in theX-API-Key header on every request:
Both
X-API-Key and Authorization: Bearer header formats are accepted. The X-API-Key header is the canonical form used by all official SDKs.Python SDK
Node.js SDK
Java SDK
Base URL auto-resolution
You do not need to configure a base URL when using an official SDK. The SDK inspects thesk_live_ or sk_test_ prefix and selects the correct host:
| Key prefix | Resolved base URL |
|---|---|
sk_live_ | https://live.agribackup.com |
sk_test_ | https://sandbox.agribackup.com |
/api/v1.
Rate limits
The production environment enforces a limit of 100 requests per second per API key. Every response includes the following headers so you can monitor your usage in real time:The maximum number of requests permitted per rate-limit window.
The number of requests remaining in the current window.
UTC epoch seconds at which the current window resets.
429 Too Many Requests. Back off using the Retry-After header value before retrying.
Common authentication errors
401 Unauthorized
You receive401 when no valid API key is present or the key is malformed.
- The
X-API-Keyheader is absent. - The key value is truncated or contains whitespace.
- You are passing the key in the wrong header (e.g.
Authorization: Tokeninstead ofX-API-Key).
403 Forbidden
You receive403 when the key is valid but lacks the required scope for the requested operation.
- The key was generated with restricted scopes (e.g. read-only) and you are attempting a write.
- You are sending a
sk_test_key to the production host (live.agribackup.com) or vice versa. - The key has been rotated and the old value is being used.
POST /api/v1/enterprise/api-keys/{keyId}/rotate.
Keeping keys secure
Follow these practices to keep your API keys secure:
- Environment variables only. Load the key from an environment variable or a secrets manager (e.g. HashiCorp Vault, AWS Secrets Manager) — never hard-code it.
- No client-side exposure. Never include a
sk_live_key in browser JavaScript, mobile app binaries, or any code that runs outside your trusted server environment. - Rotate regularly. Use
POST /api/v1/enterprise/api-keys/{keyId}/rotateto issue a new key on a schedule or immediately after any suspected compromise. - Scope minimally. When creating keys for automated pipelines, grant only the scopes that pipeline requires.
- Audit usage. List active keys with
GET /api/v1/enterprise/api-keysand revoke any you no longer recognise.