Skip to main content
The Onstacks API uses workspace API keys. Send the key as a bearer token in the Authorization header. 
Authorization: Bearer <api_key>

API key format

Use the key value returned when the workspace API key is created. The API only returns the full token once. Store the token in a secret manager or server-side environment variable: 
export ONSTACKS_API_KEY="osk_test_..."

Example request

curl "$ONSTACKS_API_URL/v1/balances?environment=sandbox" \
  -H "Authorization: Bearer $ONSTACKS_API_KEY"

Environments

Most resource routes accept environment=sandbox or environment=live. Use separate API keys for sandbox and live access when your workspace policy requires environment separation.

Scopes

API keys can be created with scopes such as:
  • wallets:read
  • transfers:read
  • transfers:create
  • transfers:approve
  • api_keys:manage
  • admin:*
Use the narrowest scope set required by the integration.

Security practices

  • Keep live API keys on trusted servers.
  • Do not place API keys in browser bundles, mobile apps, public repositories, or logs.
  • Rotate keys on a regular schedule.
  • Revoke keys immediately when they are no longer needed.
  • Use sandbox keys for test automation.