Skip to main content

Overview

The Distributor API uses API key authentication via the Authorization header. All requests must include a valid API key with the appropriate permissions.

Authentication Method

Header Format

Authorization: Bearer uwk_YOUR_API_KEY_HERE
Authorization
string
required
Bearer token containing your API key. Must start with the prefix uwk_

API Key Format

Universal Wallet API keys follow this format: 
uwk_[52 character random string]
Example: 
uwk_DlbWVU3Vjd11Le43kka6enGNjyd6xtbrBkNHMngl2aNz2Cm7
API keys are sensitive credentials. Keep them secure and never expose them in client-side code or public repositories.

Security Features

Key Hashing

API keys are hashed using SHA-256 before storage. The plaintext key is only shown once upon creation.

IP Whitelisting

Keys can be restricted to specific IP addresses for enhanced security.

Expiration

All keys have an expiration date. Expired keys are automatically rejected.

Scoped Permissions

Each key has granular permissions:
  • Read Balance: Query distributor wallet balance
  • Read Transactions: View operation history
  • Perform Operations: Create cash-in/cash-out operations

Transaction Limits

Keys can have per-transaction and daily volume limits.

Error Responses

{
  "error": "Unauthorized",
  "message": "Invalid or missing API key"
}

Best Practices

Store API keys in environment variables, never hard-code them:
const apiKey = process.env.UNIVERSAL_WALLET_API_KEY;
Create new keys and revoke old ones every 90-180 days to minimize risk.
Only enable the permissions your integration actually needs.
Regularly review API key usage logs for unexpected activity.

Creating API Keys

Learn how to create and manage API keys

Security Best Practices

Comprehensive security guide