Authentication - API Documentation

The Invoice Navigator API uses API keys for authentication. Include your API key in the Authorization header of all requests.

API Keys

API keys are provided when you sign up for API access. Each key is tied to your account and has specific rate limits based on your plan.

Security: Keep your API key secret. Do not expose it in client-side code or public repositories.

Authentication Header

Include your API key in the Authorization header:

Authorization: Bearer YOUR_API_KEY

Important: The Authorization: Bearer header is required for all API requests. Requests without this header will be rejected by CSRF protection (designed for browser sessions). Server-to-server API calls must always include the Bearer token.

Example Request

curl -X POST https://api.invoicenavigator.eu/api/v1/validate \
  -H "Authorization: Bearer sk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d @- <<< "$(jq -n --rawfile xml invoice.xml '{xml: $xml}')"'

Note: The API accepts JSON with the invoice XML content in the xml field. See the Validation API docs for the full request/response schema.

Key Prefixes

API keys have prefixes that determine their behavior:

sk_live_ — Production key. Requests count against your monthly quota and use your plan's rate limits.
sk_test_ — Test key. Runs the same validation engine but does not consume quota. Rate limited to 100 requests/hour. Evidence packs include a test watermark. See the Sandbox docs for full details.

Both keys are generated together when you sign up or regenerate your API key.

Error Responses

If authentication fails, the API returns:

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key"
  }
}

Common Authentication Errors

Status	Code	Description
401	`UNAUTHORIZED`	Missing or invalid API key
403	`INSUFFICIENT_TIER`	Your plan does not include this endpoint
402	`QUOTA_EXCEEDED`	API quota exceeded
429	`RATE_LIMIT_EXCEEDED`	Too many requests
429	`TEST_RATE_LIMIT_EXCEEDED`	Test mode rate limit exceeded (100/hour)

CORS (Cross-Origin Requests)

The API supports cross-origin requests from any domain. All API responses include Access-Control-Allow-Origin: * headers. OPTIONS preflight requests are handled automatically.

For server-to-server integrations, CORS is not relevant — it only applies to browser-based requests.

Getting an API Key

API access is included with all plans, including the free trial. Get started instantly:

Sign up for free — no credit card required
Navigate to your Dashboard → API section
Generate your API key instantly — no approval required
You'll receive both a live key (sk_live_) and a test key (sk_test_)

Enterprise customers: For custom rate limits or dedicated support, contact our team.