Skip to main content

API Keys

All API requests require authentication using an API key. Include your API key in the X-API-Key header of every request. 
X-API-Key: bipa_prod_xxxxxxxxxxxx

Key types

Bipa provides two types of API keys:
PrefixEnvironmentPurpose
bipa_prod_ProductionReal transactions with real money
bipa_test_SandboxTesting and development
Never expose your API keys in client-side code, public repositories, or logs. Treat them like passwords.

Making authenticated requests

Include your API key in the X-API-Key header: 
curl https://api.bipa.tech/v1/customers \
  -H "X-API-Key: bipa_prod_xxxxxxxxxxxx" \
  -H "Content-Type: application/json"

Obtaining API keys

  1. Log in to your Bipa Console
  2. Navigate to DevelopersAPI Keys
  3. Click Create new key
  4. Copy your key immediately — it won’t be shown again
You can only have one active API key at a time. Creating a new key will revoke the previous one.

Sandbox environment

The sandbox environment uses the same base URL but with test API keys: 
curl https://api.bipa.tech/v1/customers \
  -H "X-API-Key: bipa_test_xxxxxxxxxxxx"
In sandbox mode:
  • No real money is moved
  • Pix payments are executed in Bacen staging environment
  • Crypto transactions are executed in testnets
For the full sandbox setup guide, including creating test users and adding funds, see Sandbox.

Security best practices

Store API keys in environment variables, not in code:
export BIPA_API_KEY=bipa_prod_xxxxxxxxxxxx

import os
api_key = os.environ.get("BIPA_API_KEY")
Create new keys periodically and revoke old ones. This limits the impact if a key is compromised.
If you suspect a key has been compromised, create a new one immediately. This will automatically revoke the old key.
Review your API logs in the console regularly to detect unusual activity.