Authentication & keys

The API authenticates with an API key sent in the X-API-Key header. You can find and rotate your keys in the portal under Settings → API keys.

curl https://api.statementiq.com.au/v1/requests \
  -H "X-API-Key: siq_test_your_key"

Test and live keys

Every company has two keys, and the key you use decides the environment of the call — the same model as Stripe’s test and live keys:

  • siq_test_… — test (sandbox). Runs against mock bank data. Always available, from the moment you sign up. Use it to build and test your integration end to end. Nothing here touches a real bank account.
  • siq_live_… — live (production).Connects real customers’ banks through the CDR. It activates once your company is approved for production (see the go-live checklist in the portal). A live request creates a real CDR consent.
Test and live data are fully isolated
A test key can only see and act on test requests; a live key only sees live requests. A key from one environment returns 404 for a request in the other — there is no way to cross environments by swapping keys.

Getting approved for production

Before your live key works, we verify your business and its permitted use of CDR data — an obligation we carry as a CDR Representative. Complete the short due-diligence application on the go-live checklist in your portal. Approval is usually within one business day.

Keeping keys safe

  • Treat keys like passwords. Never embed them in front-end code, mobile apps, or public repositories.
  • Rotating a key in Settings immediately revokes the old one. Rotate straight away if a key may be exposed.
  • Each key can be rotated independently — rotating your test key does not affect your live key.

Errors

A missing or invalid key returns 401:

{ "detail": "invalid or missing API key" }

Using a live key before your company is approved returns 403 when creating a request. Some actions — such as sending a consent link by email or SMS — are production-only and return 403 in sandbox.