Wire format
<mode>istestorlive. Test keys run the full happy path against a sandbox payment instance — KYB and buyer KYC auto-approve and no real money moves. Live keys execute against real rails. See Environments.<id>is the public lookup half — safe to log.<secret>is surfaced exactly once, at creation. Caratuva stores only a salted hash; the plaintext cannot be recovered. If you lose it, revoke the key and create a new one.
Header
Issue a key
scopes is optional. Omitting it (or passing []) issues an unrestricted key — useful for the bootstrap key but not recommended for narrowly-scoped integrations. See Scopes below for the available values.
Response (the secret field is the only place the full key ever appears):
secret in your secret manager immediately. Subsequent GET /v1/api-keys calls return the metadata only — never the secret.
List keys
Revoke a key
Rotation
There is no in-place rotation endpoint for API keys (unlike webhook secrets). The rotation procedure is:POST /v1/api-keysto create the new key.- Deploy the new key to your integrator.
DELETE /v1/api-keys/<old-id>to revoke.
lastUsedAt so you can confirm the new key is in use before revoking the old one.
Scopes
API keys are gated by scope on a per-route basis. A request with a scoped key that’s missing the required scope returns403 InsufficientScope. Available scopes:
| Scope | Grants |
|---|---|
payment_intents:write | POST /v1/payment-intents, cancel |
payment_intents:read | GET /v1/payment-intents/:id |
invoices:write | POST /v1/invoices, cancel, invite-buyer |
invoices:read | GET /v1/invoices, GET /v1/invoices/:id |
webhooks:write | POST /v1/webhook-subscriptions, delete, rotate-secret |
webhooks:read | GET /v1/webhook-subscriptions, deliveries |
api_keys:write | POST /v1/api-keys, revoke |
connected_accounts:write | POST /v1/connected-accounts, tos, upload-url, submit, payout-config |
connected_accounts:read | GET /v1/connected-accounts, GET /v1/connected-accounts/:id |
webhooks:write is usually unnecessary.)
Backwards-compat note
Keys issued before scopes existed havescopes = [], which Caratuva treats as unrestricted to preserve their existing behavior. To migrate, issue a new key with explicit scopes, deploy, then revoke the unscoped one.
Test vs live
Usepk_test_* keys against staging and CI environments. Test keys are flagged on the authenticated principal as testMode: true. The entire flow — buyer KYC, payment collection, cross-border transfer, FX, and PIX payout — runs against a sandbox payment instance: KYB and buyer KYC auto-approve and no real money moves. Live keys hit production rails; never use them outside production. See Environments for the full mode model.