API keys
Every partner account receives two API keys:
| Key type | Prefix | Purpose |
|---|
| Sandbox | sk_test_* | Testing and development — no real charges |
| Production | sk_live_* | Live card issuance and transactions |
Keep your API keys secret. Never expose them in client-side code, public repositories, or logs.
Making requests
Include your API key in the x-contro-api-key header:
curl -X GET https://api.contro.me/v1/partner/balance \
-H "x-contro-api-key: sk_test_your_key_here"
Sandbox vs production
Both environments share the same base URL (https://api.contro.me/v1). The API key prefix determines the environment:
- Sandbox (
sk_test_*) — use for integration testing. No real funds are moved, cards are not issued to payment networks.
- Production (
sk_live_*) — use for live operations. Real cards are issued and funds are debited from your balance.
Sandbox and production data are completely isolated. Cardholders and cards created in sandbox are not visible in production.
IP whitelisting
For production keys, you can restrict API access to specific IP addresses. Contact the Contro team to configure your IP allowlist.
Rate limits
The Partner API allows 1,000 requests per minute per API key.
| Header | Description |
|---|
X-RateLimit-Limit | Maximum requests allowed per window |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
429 Too Many Requests with a Retry-After header indicating how many seconds to wait.
Key rotation
To rotate an API key, contact the Contro team. A new key will be issued and the old key will remain active for a grace period to allow migration.
