All requests to the Orafi API must include a valid API key in the x-api-key header. Your API key identifies your business and determines whether requests run in test or live mode.
| Environment | Prefix | Example |
|---|
| Test | ora_test_ | ora_test_a1b2c3d4e5f6... |
| Live | ora_live_ | ora_live_x9y8z7w6v5u4... |
Making authenticated requests
Include your API key in the x-api-key header on every request:
curl -X GET https://api.orafi.app/transactions \
-H "x-api-key: ora_test_your_api_key"
Requests without a valid x-api-key header return a 401 Unauthorized error.
Test vs live mode
Your API key controls which mode you operate in. Both modes use the same base URL (https://api.orafi.app), so there’s no environment-specific endpoint to remember.
| Feature | Test mode | Live mode |
|---|
| Real funds | No (testnet) | Yes (mainnet) |
| Webhooks | Delivered normally | Delivered normally |
| Onboarding required | No | Yes |
| API key prefix | ora_test_ | ora_live_ |
Always develop and test your integration using test-mode keys first. Switch to live keys only after your integration is verified.
Keeping keys secure
- Never expose API keys in client-side code, mobile apps, or public repositories.
- Store keys in environment variables or a secrets manager.
- Rotate keys immediately if you suspect they have been compromised.
- Use test keys for all development and CI/CD pipelines.
