The Crezco Payables API uses API keys to authenticate requests. You can get keys to our testing and Production environments by following the Onboarding and Go Live steps here

About keys

Security

Authentication to the API is performed via HTTP Bearer Auth. Provide your API key as the token value:

Authorization: Bearer YOUR_API_KEY

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

Safeguarding

Your API keys carry many privileges - keep them secure! Do not share your API keys in publicly accessible places such as GitHub, client-side code etc.

If you suspect your key has been leaked outside of your organisation please notify us immediately and we will assist in key rotation.

Periodic key rotation is also advised, and we would suggest setting a cadence that your application security team are happy with. We would suggest a minimum rotation period of a year.

Prefixes

Testing API Keys have the prefix CZSB01 and live mode API keys have the prefix CZ01.

This allows for easy identification of keys within codebases. For the security reasons discussed above you may wish to perform automated repository scanning for strings beginning with key prefixes.