API Authentication
Our API service is only available to Business Accounts. To obtain access to our API, create a business account and complete the KYB process. Once your account has been verified, you will be able to generate your API keys from the Business Portal.
API Keys
API keys are used to authenticate your requests to the BLOX API. Each key is associated with your account and determines which resources you can access.
[!IMPORTANT] When generating an API key, you must provide a signing public key. This key is used to verify signatures for all state-changing requests (POST, PUT, PATCH, DELETE).
Types of API Keys
- Production Keys: Used for live applications and real transactions.
- Sandbox Keys: Used for testing and development in the sandbox environment.
Getting Your API Keys
API keys are obtained through our business interface:
- Production: https://business.blox.my/devtools/api-keys
- Sandbox: https://business.sandbox.blox.my/devtools/api-keys
[!WARNING] Your API Key (secret) will only be displayed once upon creation. Copy and save it immediately in a secure location. If you lose it, you will need to deactivate the key and generate a new one.
Authentication Methods
Header Authentication
The primary method for authenticating API requests is using the blox-api-key header.
curl https://api.blox.my/v1/health \
-H "blox-api-key: YOUR_API_KEY"[!NOTE] For legacy compatibility, we also support the
Authorization: Bearer YOUR_API_KEYheader, butblox-api-keyis preferred.
Request Headers
All authenticated requests should include the following headers:
| Header | Required | Description |
|---|---|---|
blox-api-key | Yes | Your API key (secret) |
Content-Type | Yes (for POST/PUT) | Set to application/json |
Content-Digest | Yes (for signed) | RFC 9421 digest of the request body |
Signature-Input | Yes (for signed) | RFC 9421 signature metadata |
Signature | Yes (for signed) | RFC 9421 cryptographic signature |
Signatures for State-Changing Requests
All POST, PUT, PATCH, and DELETE requests require an additional layer of security through RFC 9421 HTTP Message Signatures. This ensures that the request originated from you and has not been tampered with.
For detailed instructions on how to implement signatures, see our Request Signature documentation.
Example Request (Read-only)
curl https://api.blox.my/v1/health \
-H "blox-api-key: YOUR_API_KEY"Testing Authentication
You can test your API key by making a request to the health endpoint:
curl https://api.sandbox.blox.my/v1/health \
-H "blox-api-key: YOUR_API_KEY"A successful response indicates your API key is valid:
{
"success": true,
"message": "API key is valid",
"account": {
"id": "acc_...",
"name": "Your Business Name",
"type": "BUSINESS",
"status": "ACTIVE"
}
}