Authentication
All API requests require authentication using an API key or OAuth 2.0 token.
API Key Authentication
Include your API key in the Authorization header:
bash
curl https://api.islamicopenfinance.com/v1/contracts \
-H "Authorization: Bearer iof_sk_live_abc123..."Key Types
| Type | Prefix | Environment |
|---|---|---|
| Live Secret | iof_sk_live_ | Production |
| Test Secret | iof_sk_test_ | Sandbox |
| Publishable | iof_pk_ | Client-side |
Creating Keys
Via the dashboard or API:
typescript
const key = await iof.apiKeys.create({
name: "Production Server",
permissions: ["contracts:*", "kyc:read"],
});OAuth 2.0
For user-delegated access:
bash
curl https://api.islamicopenfinance.com/v1/contracts \
-H "Authorization: Bearer iof_at_abc123..."See OAuth 2.0 Guide for implementation details.
Scopes
| Scope | Access |
|---|---|
contracts:read | Read contracts |
contracts:write | Create/update contracts |
contracts:* | Full contract access |
kyc:read | Read KYC data |
kyc:write | Submit verifications |
billing:read | View billing |
admin:* | Full admin access |
Error Responses
401 Unauthorized
json
{
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or missing API key"
}
}403 Forbidden
json
{
"error": {
"code": "FORBIDDEN",
"message": "API key lacks required permissions"
}
}Security Best Practices
- Never expose secret keys in client-side code
- Use environment variables for credentials
- Rotate keys regularly (90 days recommended)
- Use minimum required scopes
- Monitor key usage for anomalies
Next Steps
- API Keys Guide - Key management
- Errors Reference - Error codes