Authentication

OpenCard uses environment-scoped API keys for SDK and REST API access. Keep sandbox and production credentials isolated, and rotate keys on a fixed schedule.

API keys

Use sandbox keys for local and CI environments
Use live keys only in production workloads
Never expose live keys in browser bundles

Auth header

curl https://api.opencard.dev/v1/cards \  -H "Authorization: Bearer sk_sandbox_abc123..." \  -H "Content-Type: application/json"

curl https://api.opencard.dev/v1/cards \  -H "Authorization: Bearer sk_sandbox_abc123..." \  -H "Content-Type: application/json"

Key management recommendations

Store credentials in a managed secret store
Scope keys by service and environment
Audit access to secret values and rotation workflows