Authentication
Authenticate with the RevKeen API using API keys or OAuth 2.1
RevKeen supports two authentication methods: API keys for server-to-server integrations and OAuth 2.1 for MCP hosts, third-party apps, and automated workflows.
API keys (recommended for most integrations)
Use your RevKeen API key in the x-api-key header on every server-side REST request.
Auth method
x-api-key: rk_live_your_api_keyIf the header is missing, invalid, or belongs to the wrong environment, the API returns 401 Unauthorized.
Where to get keys
Create API keys in the RevKeen Dashboard.
Create separate keys for:
- production services
- staging and QA
- each integration or backend service that needs isolated access
Staging vs live
| Key type | Prefix | Use when |
|---|---|---|
| Staging | rk_sandbox_* | Integration development, QA, demos, and webhook testing |
| Live | rk_live_* | Real customers, live transactions, and production automations |
The non-production environment is documented as Staging, but the current key prefix remains rk_sandbox_*.
Example
curl https://staging-api.revkeen.com/v2/customers \
-H "x-api-key: rk_sandbox_your_api_key" \
-H "Accept: application/json"Server-side key safety
- Keep API keys in environment variables or a secret manager.
- Never ship live keys to browsers, mobile apps, screenshots, or public repositories.
- Rotate keys regularly and revoke keys that are no longer used.
- Keep staging and production credentials fully separate.
OAuth 2.1
For MCP integrations, third-party apps, and automated workflows, use OAuth 2.1 with Authorization: Bearer rk_oauth_* tokens.
import { RevKeenClient } from '@revkeen/sdk';
const client = new RevKeenClient({
oauth: {
clientId: process.env.REVKEEN_CLIENT_ID!,
clientSecret: process.env.REVKEEN_CLIENT_SECRET!,
scopes: ['customers:read', 'invoices:read'],
},
});See the OAuth 2.1 guide for authorization code + PKCE, client credentials, dynamic client registration, and scope reference.