API keys Every partner account receives two API keys:
Key type Prefix Purpose Sandbox sk_test_*Testing and development - no real charges Production sk_live_*Live card issuance and transactions
Keep your API keys secret. Never expose them in client-side code, public repositories, or logs.
Making requests Include your API key in the x-contro-api-key header:
cURL
SDK (Node)
SDK (Python)
TypeScript (fetch)
curl -X GET https://stg-api.contro.dev/v1/partner/balance \ -H "x-contro-api-key: sk_test_your_key_here"
Environments Contro provides two fully isolated environments, each with its own base URL, API keys, and dashboard:
Sandbox Production Base URL https://stg-api.contro.dev/v1https://api.contro.me/v1API key prefix sk_test_*sk_live_*Dashboard https://partner.contro.dev https://partner.contro.me Card provider Simulated - no real charges Live payment network
Sandbox - use for integration testing. No real funds are moved, cards are not issued to payment networks.Production - use for live operations. Real cards are issued and funds are debited from your balance.
Sandbox and production data are completely isolated. Cardholders and cards created in sandbox are not visible in production.
IP whitelisting Restrict API access to specific IP addresses per environment via your dashboard Settings page.
Sandbox : Supports localhost and 127.0.0.1 in addition to public IPs. An empty list allows all IPs.Production : Only public IPs are accepted. An empty list allows all IPs.
Changes take effect immediately for all subsequent API requests.
Allowed origins Control which browser origins can call the Partner API by configuring allowed origins in dashboard Settings . This enforces CORS for browser-based consumers (e.g., frontend apps using the SDK via fetch).
An empty list bypasses origin checks (all origins allowed).
Server-to-server requests are unaffected — they don’t send an Origin header.
Origins must include the scheme (e.g., https://app.example.com).
Rate limits The Partner API allows 1,000 requests per minute per API key.
Header Description X-RateLimit-LimitMaximum requests allowed per window X-RateLimit-RemainingRequests remaining in the current window X-RateLimit-ResetUnix timestamp when the window resets
When you exceed the limit, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait.
Key rotation To rotate an API key, contact the Contro team. A new key will be issued and the old key will remain active for a grace period to allow migration. 
