Authentication
Use AICardAPI API keys without exposing stored secrets.
API key header
Merchant API calls use X-API-Key. The merchant dashboard shows a masked active key and copies the full active secret when the server has stored it.
UI login is separate
Human Dashboard access starts at /login and uses a signed HttpOnly UI session. A Merchant API key is never a browser login credential, and an Ops UI session is never treated as a Merchant API key.
Ops boundary
Internal Ops calls are made through server-side BFF routes after an Ops UI session. The browser must not receive Ops API tokens, provider credentials, webhook secrets or raw evidence.
Rotation and revocation
Lost keys are revoked with DELETE /v1/api-keys/{key_id} and recreated. Revoked keys remain visible for audit lookup but are not copyable for API calls.
Header example
Use a placeholder environment variable instead of a literal credential.
X-API-Key: $YOUR_AICARD_API_KEY