Authentication

All API endpoints (except /api/v1/health) require authentication using a Bearer token.

Getting your API key

Sign up at pixcraft.es
Subscribe to an API plan at pixcraft.es/developers
Navigate to Dashboard → API Keys
Click Create API Key

Your key will look like: px_live_a1b2c3d4e5f6...

Using your API key

Include the key in the Authorization header of every request:

curl https://www.pixcraft.es/api/v1/capabilities \
  -H "Authorization: Bearer px_live_your_key_here"

API key properties

Each API key has the following configuration:

Property	Description
`plan`	Starter, Business, or Enterprise
`allowed_domains`	CORS whitelist — requests from other domains are rejected
`allowed_niches`	Optional restriction — limit which niches this key can access
`custom_colors`	Override the default color catalog for all niches
`custom_logo_url`	Your logo for white-label PDF generation

Note: Monthly usage limits are tracked at the account level, not per key. All your API keys and widgets share the same monthly counter. See Rate Limiting for details.

Error responses

Scenario	HTTP Status	Error Code
No `Authorization` header	401	`MISSING_API_KEY`
Invalid or unknown key	401	`INVALID_API_KEY`
Key has been deactivated	401	`INACTIVE_API_KEY`
Monthly limit exceeded	429	`RATE_LIMIT_EXCEEDED`

Example error response:

{
  "error": true,
  "code": "INVALID_API_KEY",
  "message": "The provided API key is not valid.",
  "docs": "https://docs.pixcraft.es/errors/INVALID_API_KEY"
}

Security best practices

Never expose your API key in client-side code — always call the API from your backend
Use domain restrictions — configure allowed_domains to limit where the key can be used
Rotate keys — if a key is compromised, deactivate it and create a new one
Use separate keys — create different keys for development, staging, and production

Documentation Index

​Authentication

​Getting your API key

​Using your API key

​API key properties

​Error responses

​Security best practices