Authorization header.
API keys
API keys are scoped to an organization and created through the admin CLI or dashboard. Keys come in two modes:| Mode | Prefix | Behavior |
|---|---|---|
| Test | sk_test_ | Test payments, no real charges |
| Live | sk_live_ | Real Visa cards, real payments |
agent-cards-admin env to switch between modes.
Base URL
There is one base URL for the API, in both test and live mode:sk_test_ key issues
test cards against https://api.agentcard.sh; a sk_live_ key issues real cards against
the same URL. Nothing else in the request changes. Always send your requests to
https://api.agentcard.sh, including for sk_test_ keys.
Making authenticated requests
Pass your API key as a Bearer token in theAuthorization header:
Error responses
| Status | Error | Description |
|---|---|---|
401 | Missing or invalid Authorization header | No Authorization: Bearer header provided |
401 | Invalid API key format | Key doesn’t start with sk_test_ or sk_live_ |
401 | Invalid or revoked API key | Key not found or revoked. Make sure you are calling https://api.agentcard.sh — see Base URL above. |
403 | Organization is suspended | The org associated with this key is suspended |
429 | API key rate limit exceeded | Per-key rate limit exceeded (default: 1,000 req/hour) |
Rate limits
Each API key has a configurable rate limit (default: 1,000 requests per hour). Rate limit headers are included in every response:| Header | Description |
|---|---|
RateLimit-Limit | Max requests allowed in the window |
RateLimit-Remaining | Requests remaining in the current window |
RateLimit-Reset | Seconds until the window resets |
Key management
API keys can be managed through theagent-cards-admin CLI: