Authentication
Every request carries an API key as a bearer token. Keys are account-scoped: everything you create through the API belongs to your InvoiceJet account.
Authorization: Bearer ijk_live_3fa8c04b…Keys
Create and revoke keys under Developers in the app. The raw key is generated in your browser and shown exactly once. InvoiceJet stores only a SHA-256 hash, so a leaked database can never leak your key. Revocation is immediate.
Treat keys like passwords: server-side environment variables only, never in client-side code, repositories, or logs. Rotate by creating a new key, deploying it, then revoking the old one.
Scopes
Keys are created as full (everything) or read (queries only). A read-only key can call every GET endpoint but gets 403 insufficient_scope on ingestion (POST /v1/invoices, retry), updates (PATCH), and approval requests. Use read-only keys anywhere the key sits closer to the edge: dashboards, MCP configs on laptops, reporting jobs. Scope is fixed at creation; widening means creating a new key.
Verify a key
GET /v1/me returns the key's account and current quota, the fastest way to confirm wiring in a new environment.
curl 'https://nzsktgwehyzltgagloox.supabase.co/functions/v1/api/v1/me' \
-H 'Authorization: Bearer $INVOICEJET_API_KEY'Failures
A missing or malformed header returns 401 missing_api_key; an unknown or revoked key returns 401 invalid_api_key. Neither counts against rate limits.