api-key header:
Two Types of Keys
| Key | What it’s for | How to get it |
|---|---|---|
| Master key | Onboarding users, getting signup links, checking rates | Provided by Bringin during partner setup |
| Per-user key | Creating orders, checking balance, listing transactions, managing connections | Returned after connecting a user (via API response or webhook) |
Per-user keys have limited permissions — they can only push crypto for conversion. Safe to store on client devices.
When is HMAC needed?
Only when you callPOST /application/connect with a callback URL (webhook-enabled onboarding). HMAC proves the request came from your server.
If you don’t use webhooks, you don’t need HMAC.
See HMAC Signing for the step-by-step process.
Headers
Bothapi-key and x-api-key are accepted. Keys may optionally have prefixes (pk_live_, sk_test_, etc.) — these are stripped automatically.