Skip to main content
RemitFlex authenticates every API request using API keys passed as Bearer tokens. There are no sessions, cookies, or OAuth flows to manage — every call you make includes your key in the Authorization header, and RemitFlex validates it before processing the request.

Generating an API Key

API keys are created and managed from the RemitFlex Dashboard. Each key is tied to your account and the permissions you assign to it.
1

Open API Key Settings

Log in to the RemitFlex Dashboard and navigate to Settings → API Keys.
2

Create a New Key

Click Create new key. Give it a descriptive name that identifies its purpose or the environment it belongs to — for example, production-payments or staging-webhooks.
3

Select Environment and Scopes

Choose whether this key is for the Sandbox or Live environment, then select the scopes your integration needs. See Key Scopes below for a breakdown of available permissions.
4

Copy and Store Your Key

Click Generate. Your key is displayed exactly once — copy it immediately and store it somewhere secure, such as a secrets manager or environment variable. RemitFlex does not store the raw key value after this point.

Using Your API Key

Include your API key as a Bearer token in the Authorization header of every request. 
curl --request GET \
  --url https://api.remitflex.com/v1/payments \
  --header "Authorization: Bearer $REMITFLEX_API_KEY"

Key Types: Sandbox vs. Live

RemitFlex issues two categories of API keys so you can develop and test without touching real funds.
Key TypePrefixEnvironmentEffect
Test keyrf_test_SandboxSimulates payments — no real money moves
Live keyrf_live_ProductionInitiates real payments and conversions
The key prefix tells you at a glance which environment a key belongs to. Use test keys throughout development and switch to a live key only when you’re ready to process real transactions.
The sandbox environment is a full-fidelity replica of production. Every endpoint, response shape, and error code behaves identically — only the underlying settlement is simulated.

Key Scopes

When you create a key, you assign it one or more scopes that limit what the key can do. Follow the principle of least privilege: grant only the scopes your integration actually needs.

read

Fetch payments, quotes, recipients, and account data. No mutations permitted.

write

Create and update payments, quotes, and recipients. Includes all read permissions.

admin

Full access including key management, webhook configuration, and account settings. Reserve this for internal tooling only.

Security Best Practices

Never expose your API key in client-side code, public repositories, or anywhere accessible to end users. A leaked live key gives anyone full access to your RemitFlex account within the scopes it was granted. If you suspect a key has been compromised, revoke it immediately from the Dashboard and issue a replacement.
Store API keys in environment variables or a dedicated secrets manager (such as AWS Secrets Manager, HashiCorp Vault, or Doppler) rather than hard-coding them in configuration files or source code. Reference them at runtime with process.env.REMITFLEX_API_KEY (Node.js) or os.environ['REMITFLEX_API_KEY'] (Python).
Follow these practices to keep your keys secure:
  • Rotate keys regularly. Create a new key, update your integration, then revoke the old key. Rotation limits the blast radius if a key is ever exposed.
  • Use one key per environment. Keep sandbox and production keys completely separate so a mistake in testing can never affect live payments.
  • Scope keys to the minimum required. A service that only reads payment status doesn’t need write or admin permissions.
  • Audit key usage. The Dashboard logs every API call made with each key — review these periodically for unexpected activity.
  • Revoke unused keys. Delete keys that belong to decommissioned services or team members who have left your organization.

Authentication Errors

If a request fails authentication, RemitFlex returns an HTTP 401 Unauthorized response with a JSON error body. 
{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key. Ensure you are passing a valid Bearer token in the Authorization header.",
    "docs_url": "https://docs.remitflex.com/authentication"
  }
}
Common reasons for a 401 response:
CauseResolution
Missing Authorization headerAdd Authorization: Bearer YOUR_API_KEY to every request
Malformed header (e.g. Token prefix instead of Bearer)Use the exact format Bearer rf_test_... or Bearer rf_live_...
Key has been revokedGenerate a new key from the Dashboard
Using a test key against the live base URL (or vice versa)Match your key prefix (rf_test_ / rf_live_) to the correct environment
Key lacks the required scopeRe-create the key with the necessary scope or use an admin key to update permissions
If you receive a 403 Forbidden instead of a 401, your key is valid but lacks permission to perform the requested action. Check the key’s assigned scopes in the Dashboard under Settings → API Keys.