Authentication

Environments

Conduit provides two environments. Both expose the same API and use the same authentication mechanism.

Environment	Base URL	Purpose
Sandbox	`https://api.sandbox.conduit.financial/v2`	Integration development and testing
Production	`https://api.conduit.financial/v2`	Live operations

Your sandbox organization is automatically linked to your production organization. Data does not cross between environments.

All requests require an API key passed in the x-api-key header.

curl https://api.conduit.financial/v2/customers \
  -H "x-api-key: YOUR_API_KEY"

Keys are scoped to a single organization and environment. Generate and revoke keys from the Conduit dashboard.

API keys are shown once at creation and hashed server-side (SHA-256). Conduit cannot recover a lost key — revoke it and create a new one.

Header	Required	Description
`x-api-key`	Yes	Your API key
`Content-Type`	Yes (POST/PATCH)	`application/json` for JSON bodies, `multipart/form-data` for file uploads
`idempotency-key`	No	Prevents duplicate operations on POST requests. Cached for 5 minutes.
`x-client-correlation-id`	No	Your trace ID. Echoed back in the response for request correlation.

Conduit also returns an x-correlation-id header on every response — a server-generated trace ID useful for support requests.

Status	Meaning	What to do
`400`	Validation failed	Check the `errors` array in the response body for field-level details
`401`	Missing or invalid API key	Verify your `x-api-key` header
`403`	Forbidden	Your API key does not have access to this resource or organization
`404`	Resource not found	Check the resource ID and ensure it belongs to your organization
`409`	Conflict	A resource with the same unique constraint already exists
`429`	Rate limited	Slow down and retry after the `Retry-After` header value (in seconds)
`500`	Internal error	Retry with exponential backoff. If persistent, contact support with the `x-correlation-id` from the response