Authentication
Every Partner API request carries your organization credentials. Endpoints that act on behalf of a specific user additionally require a user session token.
Layer 1 - Organization credentials (every request)
Every Partner API request must carry your organization's API key and secret as headers:
X-Partner-Key: pk_test_acme_1a2b3c4d5e6f7a8b X-Partner-Secret: sk_test_acme_1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d
- The key (
pk_…) is a public identifier. - The secret (
sk_…) is verified server-side against an Argon2 hash and is never stored in plaintext by Qwik. Treat it like a password and keep it on your backend, never ship it to a browser or mobile client.
If either header is missing or the secret doesn't match, you get 401 Unauthorized. If your account is suspended or revoked, you get 403 Forbidden.
You receive these credentials when your partner organization is created (see Partner Organization). You can rotate them yourself at any time via POST /partner/me/rotate-api-key.
Layer 2 - User session token (user-scoped endpoints)
Endpoints that act on behalf of a specific user (onboarding, cards, deposits, transactions, etc.) additionally require a Bearer session token for that user:
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6...
You obtain this token by logging the user in:
Pass that sessionToken as the Bearer token on all user-scoped calls. The token is a Qwik-signed JWT bound to a session row; it expires at expiresAt and is invalidated by POST /partner/auth/logout.
Which endpoints need what
| Group | Org key + secret | Bearer session |
|---|---|---|
/auth/register, /login, /verify-otp, /forgot-password/* | ✅ | — |
/auth/change-password, /logout | ✅ | ✅ |
/partner/users/me* | ✅ | ✅ |
/partner/cards/*, /partner/transactions/*, /partner/disputes* | ✅ | ✅ |
/external-bank-account-connect/* (except public routes) | ✅ | ✅ |
/partner/me*, /partner/usage, /partner/webhooks* | ✅ | — |
GET /external-bank-account-connect/connect (hosted page) | — | — |
POST /external-bank-account-connect/enrollment/public | — | — |