Authentication & keys
The API authenticates with an API key sent in the X-API-Key header. You can find and rotate your keys in the portal under Settings → API keys.
curl https://api.statementiq.com.au/v1/requests \
-H "X-API-Key: siq_test_your_key"Test and live keys
Every company has two keys, and the key you use decides the environment of the call — the same model as Stripe’s test and live keys:
siq_test_…— test (sandbox). Runs against mock bank data. Always available, from the moment you sign up. Use it to build and test your integration end to end. Nothing here touches a real bank account.siq_live_…— live (production).Connects real customers’ banks through the CDR. It activates once your company is approved for production (see the go-live checklist in the portal). A live request creates a real CDR consent.
404 for a request in the other — there is no way to cross environments by swapping keys.Getting approved for production
Before your live key works, we verify your business and its permitted use of CDR data — an obligation we carry as a CDR Representative. Complete the short due-diligence application on the go-live checklist in your portal. Approval is usually within one business day.
Keeping keys safe
- Treat keys like passwords. Never embed them in front-end code, mobile apps, or public repositories.
- Rotating a key in Settings immediately revokes the old one. Rotate straight away if a key may be exposed.
- Each key can be rotated independently — rotating your test key does not affect your live key.
Errors
A missing or invalid key returns 401:
{ "detail": "invalid or missing API key" }Using a live key before your company is approved returns 403 when creating a request. Some actions — such as sending a consent link by email or SMS — are production-only and return 403 in sandbox.