Skip to main content

Documentation Index

Fetch the complete documentation index at: https://partner-docs.contro.dev/llms.txt

Use this file to discover all available pages before exploring further.

API keys

Every partner account receives two API keys:
Key typePrefixPurpose
Sandboxsk_test_*Testing and development - no real charges
Productionsk_live_*Live card issuance and transactions
Keep your API keys secret. Never expose them in client-side code, public repositories, or logs.

Making requests

Include your API key in the x-contro-api-key header: 
curl -X GET https://stg-api.contro.dev/v1/partner/balance \
  -H "x-contro-api-key: sk_test_your_key_here"

Environments

Contro provides two fully isolated environments, each with its own base URL, API keys, and dashboard:
SandboxProduction
Base URLhttps://stg-api.contro.dev/v1https://api.contro.me/v1
API key prefixsk_test_*sk_live_*
Dashboardhttps://partner.contro.devhttps://partner.contro.me
Card providerSimulated - no real chargesLive payment network
  • Sandbox - use for integration testing. No real funds are moved, cards are not issued to payment networks.
  • Production - use for live operations. Real cards are issued and funds are debited from your balance.
Sandbox and production data are completely isolated. Cardholders and cards created in sandbox are not visible in production.

IP whitelisting

Restrict API access to specific IP addresses per environment via your dashboard Settings page.
  • Sandbox: Supports localhost and 127.0.0.1 in addition to public IPs. An empty list allows all IPs.
  • Production: Only public IPs are accepted. An empty list allows all IPs.
Changes take effect immediately for all subsequent API requests.

Allowed origins

Control which browser origins can call the Partner API by configuring allowed origins in dashboard Settings. This enforces CORS for browser-based consumers (e.g., frontend apps using the SDK via fetch).
  • An empty list bypasses origin checks (all origins allowed).
  • Server-to-server requests are unaffected — they don’t send an Origin header.
  • Origins must include the scheme (e.g., https://app.example.com).

Rate limits

The Partner API allows 1,000 requests per minute per API key.
HeaderDescription
X-RateLimit-LimitMaximum requests allowed per window
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix timestamp when the window resets
When you exceed the limit, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait.

Key rotation

To rotate an API key, contact the Contro team. A new key will be issued and the old key will remain active for a grace period to allow migration.