Authentication
API Keys
Section titled “API Keys”For server-to-server integrations, use API keys. Generate one from the Developer Portal.
Include the key in every request as a header:
curl -H "X-Api-Key: your-64-character-api-key" \ https://api.invoro.eu/invoice-api/invoicesAPI Key Properties
Section titled “API Key Properties”- 64 characters long, randomly generated
- Stored as SHA-256 hash (we never store the plaintext)
- Scoped to a single company
- Can be revoked at any time from the Developer Portal
Test vs Live Keys
Section titled “Test vs Live Keys”- Live keys (
ak_live_...) operate on production invoices - Test keys (
ak_test_...) operate on test invoices only, no real Peppol delivery occurs
Test and live data are fully isolated: a test key will never see live invoices and vice versa.
Scopes
Section titled “Scopes”Each API key specifies which operations it may perform. Available scopes:
| Scope | Access |
|---|---|
invoice:create | Create new invoices |
invoice:read | List and view invoices |
invoice:send | Send invoices to Peppol |
invoice:delete | Delete draft invoices |
contact:read | List and view contacts |
contact:create | Create contacts |
contact:delete | Delete contacts |
participant:read | Look up Peppol participants |
A request requiring a scope the key lacks will return 403 Forbidden.
Security Best Practices
Section titled “Security Best Practices”- Never expose API keys in client-side code or version control
- Use environment variables to store keys
- Rotate keys periodically
- Use separate test and live keys