Authentication

Every API request is authorized with a partner API key. Send it in the Authorization header using the Bearer scheme:

Authorization: Bearer ptk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

API-key requests are for partner-level integration. This is different from the session (JWT/OTP) authorization used in the customer panel and must not be confused with it.

Key format

Keys start with a prefix:

Prefix	Usage
ptk_live_…	Live (prod) environment
ptk_test_…	Test environment

Note

The environment split of the key prefix and access to the test environment are clarified during onboarding. The ptk_test_ example above is a format illustration only; the exact value and test-environment details are provided to you at onboarding.

Key management

• The key is shown in full only once, at creation time. Store it securely.
• If lost, it cannot be recovered; you must generate a new key.
• Only a visible identifier of the key (e.g., the last few characters) appears in listings.

Security

Never keep the API key on the client side (browser, mobile app) or in a public repository. The key is used only in server-to-server calls. If it leaks, generate a new key and revoke the old one immediately.

Unauthorized requests

Requests with an invalid, missing, or revoked key are rejected with 401 Unauthorized and a standard error response.