CurrencyCore
API Reference
Authentication
How to authenticate requests and manage API keys in CurrencyCore.
Authenticating requests
Send your API key with every request — either as a bearer token in the
Authorization header (recommended), or in the x-api-key header. Both are
equivalent; pick whichever your HTTP client makes easiest.
Authorization: Bearer cc_live_your_key_herex-api-key: cc_live_your_key_hereThere is no query-string auth — your key never goes in the URL, since URLs are written to server, proxy, and browser logs. All production traffic must go over HTTPS.
API key types
Choose Live or Test when you create a key in the dashboard:
| Type | Prefix | Use case |
|---|---|---|
| Live key | cc_live_ | Production requests, billed against your plan’s monthly quota and rate limit. |
| Test key | cc_test_ | Development & sandboxing. Always capped at the Hobby rate limit (60 req/min), regardless of your plan. |
Keys are scoped to an organization. You can create multiple keys per org and revoke them individually from the dashboard.
Demo (sandbox) keys
The Playground in the dashboard runs requests through a short-lived demo key so you can try the API without provisioning one of your own. These keys are not for production:
- Extremely limited — capped at 100 requests total over its short validity, far below any plan. The key rotates hourly, on use, so each one is good for roughly an hour. They’re meant for a handful of trial calls, not real traffic.
- Session-bound and auto-expiring — a demo key is tied to your dashboard session and rotates automatically (roughly hourly), so it only works from inside the CurrencyCore dashboard Playground. It will stop working as soon as it rotates.
When you’re ready to integrate, create a Live key (above) and call the API directly with your own credentials.
Key security
- Keys are shown in full only once at creation time. Store them securely (environment variables, secrets manager).
- Revoked keys return
401 Unauthorizedimmediately. - Rotate keys regularly — the dashboard makes this a one-click operation.
Rate limits
Rate limits are enforced per API key, per minute:
| Plan | Requests/month | Burst limit |
|---|---|---|
| Hobby (free) | 10,000 | 60 req/min |
| Pro | 250,000 | 600 req/min |
| Scale | 2,000,000 | 3,000 req/min |
| Business | 10,000,000 | 6,000 req/min |
| Enterprise | Unlimited | 12,000+ req/min |
Exceeded limits return 429 Too Many Requests with a Retry-After header.
Organization roles
| Role | Can create keys | Can manage billing | Can invite members |
|---|---|---|---|
| Owner | Yes | Yes | Yes |
| Admin | Yes | No | Yes |
| Member | No | No | No |