Authentication

This guide walks you through the essential steps to make your first successful API call and explains the core authentication and security principles of the P100 API.

Step 1: The Onboarding Process

Access to the P100 API is a structured process designed to ensure security and a successful partnership. It begins with applying for a P100 Business Account.

How to Get Your Credentials

The process involves a few key stages:

Application: A partner applies for a P100 Business Account.

Verification: Our team reviews and verifies the application.

Account Setup: Once approved, we set up your Business Account.

API Integration: If you opt for B2B integration, we will then provide you with your unique API credentials:

Staging API Key: For testing and development.

Production API Key: For your live application.

Webhook Security Token: A token sent in a header that allows you to verify that incoming webhook requests genuinely originate from P100.

Step 2: Make Your First API Call

Let's verify your setup by making a simple, read-only request to fetch the current exchange rates. This is a great way to confirm your API key is working correctly.

All authenticated requests must include your API key in the x-api-key header.

Example Request (cURL)

✅ Expected Success Response

{
  "btc": 92619.60,
  "eth": 2188.81,
  "eur": 1,
  "usdc": 0.8523,
  "usdt": 0.8522
}

A successful response like the one above confirms that you are connected to the P100 API.

Handling Authentication Errors

If your API key is missing, invalid, or the request originates from an unauthorized IP address, the server will reject the request with a 401 Unauthorized status. The response body will contain a specific error message indicating the cause.

Example Request (Invalid Key)

❌ Error Responses

The response body will contain one of the following messages:

Access Denied. xo1 → API key was not provided in the request.

Access Denied. xo2 → The provided API key is incorrect.

Access Denied. xo3 → The request originated from an invalid IP address (production only).

Step 3: Security Best Practices

Securing your integration is a shared responsibility. Adhering to these principles is mandatory for production access.

Store Keys Securely

Treat your API keys like passwords. Store them securely as environment variables or using a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault). Never hardcode them in your application.

IP Whitelisting

For production, all API requests must originate from a pre-approved list of static IP addresses. Provide your server IPs to our team to get them whitelisted. Requests from unknown IPs will be blocked.

Monitor Activity

Regularly monitor your API usage logs to detect suspicious activity, prevent abuse, and ensure the stability of your service. This is a critical part of maintaining a secure integration.

Next Steps

Now that you understand authentication, it's time to explore what you can build. Dive into the API Reference to discover all available endpoints.

Step 1: The Onboarding Process#

Step 2: Make Your First API Call#

Handling Authentication Errors#

Step 3: Security Best Practices#

Step 1: The Onboarding Process

Step 2: Make Your First API Call

Handling Authentication Errors

Step 3: Security Best Practices