All protected endpoints require an API key in the request header. Public endpoints need no authentication.

API Key Header

Include x-api-key on every protected request.

x-api-key: YOUR_API_KEY

Important

Keep your key secret Never expose your API key in client-side code or public repositories. Store it in environment variables.

Public Endpoints

These endpoints do not require x-api-key.

GET /api/v1/health
GET /api/v1/status

Protected Endpoints

All of the following require a valid x-api-key.

POST /api/v1/initialize
POST /api/v1/setup
POST /api/v1/sync
GET  /api/v1/codes
GET  /api/v1/customers/:pin
GET  /api/v1/notices
GET  /api/v1/branches
POST /api/v1/items/service
POST /api/v1/items/goods
POST /api/v1/items
GET  /api/v1/items
POST /api/v1/sales
POST /api/v1/sales/credit-note
GET  /api/v1/purchases
POST /api/v1/purchases
POST /api/v1/stock/io
PUT  /api/v1/stock/master
GET  /api/v1/stock/movements

Sandbox vs Production

Production

For live transactions. Requires a production key from your Ushuru dashboard.