API Keys
PCX uses API keys for server-to-server authentication. Each key is scoped to an organization.
Generate keys from Dashboard → Settings → API Keys.
Never expose API keys in client-side code or public repositories. Rotate immediately if compromised.
Making authenticated requests
Include the key as a Bearer token on every request:
curl https://api.pcxpay.com/v1/organizations/{org_id} \
-H "Authorization: Bearer your_api_key_here"
JWT (user-facing flows)
For flows initiated by end users (e.g., dashboard login), PCX uses Cognito-issued JWTs. Pass the JWT in the same Authorization: Bearer header — the API Gateway validates and routes accordingly.
Errors
| Status | Meaning |
|---|
401 | Missing or invalid token |
403 | Valid token but insufficient permissions |
{
"status": "error",
"message": "Unauthorized"
}
