Skip to main content

API authentication

Apto uses API keys to control access to our APIs. Keys consist of a public component and a private component, which act like a username and password. The Core API and Mobile API handle keys differently.


Keys are always associated with sandbox or production. Sandbox keys will not work in production, and vice versa.

Mobile API authentication

The Mobile API creates a secure connection between an individual cardholder’s application and their specific data within Apto’s platform. We provide a public key that identifies your program, and the cardholder completes the authentications with a session token, which is generated by the API once the cardholder verifies themselves via their primary credential, and which serves the private key.

  • Mobile API Key: This string of characters identifies your card program.
  • Session Token: When your users authenticate themselves, they get a session token that serves as the private key.
curl --location --request POST {ENDPOINT} \
--header 'Api-Key: Bearer {MOBILE_API_KEY}' \
--header 'Authorization: {SESSION_TOKEN}' \
--header 'Content-Type: application/json' \

Your Mobile API key is generated by Apto automatically when you create your account. You can only have one public Mobile API key.

Core API authentication

With the Core API, information will flow from the Apto platform to your backend. You can then pass it on to the cardholder’s mobile application, with private API keys used to secure the communication. These API keys are a pair of values that you can generate in Dashboard.


In Production, the Core API is read-only for Green Programs.

  • Public key: This key is sometimes called the API Key. It always starts with pk_live_.
  • Private key: Sometimes called an API Secret, this key always starts with sk_live_.
  • In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials are the Base64 encoding of a public Core API key and its private API secret joined by a colon.
  • For Green Programs, Core API access is limited in production.
curl --location --request POST {ENDPOINT} \
--header 'Authorization: Basic $(echo -n <my_public_key>:<my_secret_key> | base64)' \
--header 'Content-Type: application/json' \

In production, your private Core API secrets provide access to all your cardholders’ data. Do not make these values public or use them outside of your private infrastructure. Never use production Core API credentials in user-facing applications.

Finding your API keys

Mobile API key

  1. Open the Apto developer dashboard and navigate to Developers.
  2. Identify the key labeled Mobile API Key.

Core API keys


Once created, the Core API secret will not be available again, so make sure you store it in a safe place.

  1. Open the Apto developer dashboard and navigate to Developers.
  2. From the API Keys tab, select Add.
  3. Store your API key.
  4. Select Done.

Once you have your private and public key for the Core API, you'll need to base64 encode it before sending it, for example:

"Authorization: Basic $(echo -n <my_public_key>:<my_secret_key> | base64)"