Authentication

All Torque API requests require authentication using API keys. This guide explains how to securely authenticate your requests.

API Keys

Getting Your API Key

1. Sign Up: Create a Torque business account at torque.fi/business
2. Complete Profile: Fill out your business information
3. Generate Key: Navigate to API settings and generate your first API key
4. Store Securely: Save your API key in a secure location

API Key Format

Your API key will look like this:

torque_live_1234567890abcdef1234567890abcdef

Important: Never share your API key publicly or commit it to version control.

Request Headers

Required Headers

Every API request must include these headers:

Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
Accept: application/json

Example Request

const response = await fetch('https://api.torque.fi/v1/checkout/generate-link', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json',
    'Accept': 'application/json'
  },
  body: JSON.stringify(requestData)
});

cURL Example

curl -X POST https://api.torque.fi/v1/checkout/generate-link \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{"businessId": "business_123", "cart": {"items": []}}'

🛡️ Security Best Practices

API Key Management

• Environment Variables: Store API keys in environment variables
• Secret Management: Use secure secret management services
• Rotation: Regularly rotate your API keys
• Access Control: Limit API key access to necessary team members

Request Security

• HTTPS Only: Always use HTTPS for API requests
• Rate Limiting: Respect rate limits to avoid abuse
• Input Validation: Validate all input data before sending
• Error Handling: Don't expose sensitive information in error logs

Example: Environment Variable Setup

# .env file
TORQUE_API_KEY=torque_live_1234567890abcdef1234567890abcdef
TORQUE_BUSINESS_ID=business_123

// config.js
const config = {
  apiKey: process.env.TORQUE_API_KEY,
  businessId: process.env.TORQUE_BUSINESS_ID,
  
};

export default config;

🔄 API Key Rotation

When to Rotate

• Security Breach: If you suspect your key has been compromised
• Employee Departure: When team members leave your organization
• Regular Schedule: Every 90 days as a security best practice
• Suspicious Activity: Unusual API usage patterns

Rotation Process

1. Generate New Key: Create a new API key in your dashboard
2. Update Applications: Update all applications with the new key
3. Test: Verify the new key works correctly
4. Revoke Old Key: Delete the old key after confirming everything works
5. Monitor: Watch for any failed requests or issues

📊 Rate Limiting

Current Limits

• Standard Plan: 1,000 requests per minute
• Business Plan: 10,000 requests per minute
• Enterprise Plan: Custom limits available

Rate Limit Headers

API responses include rate limit information:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200

Handling Rate Limits

async function makeApiRequest() {
  try {
    const response = await fetch('/api/endpoint', {
      headers: {
        'Authorization': `Bearer ${apiKey}`,
        'Content-Type': 'application/json'
      }
    });
    
    if (response.status === 429) {
      const resetTime = response.headers.get('X-RateLimit-Reset');
      const waitTime = (resetTime * 1000) - Date.now();
      
      if (waitTime > 0) {
        await new Promise(resolve => setTimeout(resolve, waitTime));
        return makeApiRequest(); // Retry
      }
    }
    
    return response.json();
  } catch (error) {
    console.error('API request failed:', error);
    throw error;
  }
}

🚨 Common Authentication Errors

401 Unauthorized

{
  "success": false,
  "error": "Invalid or missing API key",
  "code": "AUTH_001"
}

Solutions:

• Check your API key is correct
• Ensure the key is included in the Authorization header
• Verify the key hasn't expired or been revoked

403 Forbidden

{
  "success": false,
  "error": "Insufficient permissions for this endpoint",
  "code": "AUTH_002"
}

Solutions:

• Check your account permissions
• Verify your business account is active
• Contact support if you need elevated access

429 Too Many Requests

{
  "success": false,
  "error": "Rate limit exceeded",
  "code": "RATE_001"
}

Solutions:

• Implement exponential backoff
• Check rate limit headers
• Consider upgrading your plan

📝 Testing Authentication

Test Endpoint

Use our test endpoint to verify your authentication:

curl -X GET https://api.torque.fi/v1/auth/test \
  -H "Authorization: Bearer YOUR_API_KEY"

Expected Response

{
  "success": true,
  "message": "Authentication successful",
  "business": {
    "id": "business_123",
    "name": "Your Business Name",
    "status": "active"
  }
}

Next Steps

• Checkout API: Start creating checkout sessions
• Webhooks: Set up real-time notifications
• Error Handling: Learn about error codes and responses
• Business Onboarding: Complete your business setup

---

Need help with authentication? Contact our support team at hello@torque.fi or join our Discord community.