Skip to main content
The CashCat API uses API key authentication. All requests must include a valid API key in the Authorization header as a Bearer token.

API key format

API keys are prefixed with cc_live_ followed by a secure random string: 
cc_live_AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AbCdEfGh
Never share your API keys or commit them to version control. Treat them like passwords.

Making authenticated requests

Include your API key in the Authorization header with the Bearer scheme: 
curl -X GET "https://api.cashcat.app/api/v1/budgets" \
  -H "Authorization: Bearer cc_live_YOUR_API_KEY"

Example with different languages

curl -X GET "https://api.cashcat.app/api/v1/budgets" \
  -H "Authorization: Bearer cc_live_YOUR_API_KEY" \
  -H "Content-Type: application/json"

Generating API keys

You can create and manage API keys from your CashCat dashboard:
  1. Navigate to Settings in your CashCat dashboard
  2. Go to the API Keys section
  3. Click Create New Key
  4. Give your key a descriptive name (e.g., “Production Server”, “Development”)
  5. Copy the generated key immediately
API keys are only shown once during creation. Save them securely - you won’t be able to view them again.

Key properties

Each API key has the following properties:
  • Name: A descriptive label to help you identify the key
  • Key prefix: The first 15 characters of the key (e.g., cc_live_AbCdEfG) displayed in the dashboard
  • Created at: Timestamp when the key was created
  • Last used at: Timestamp of the most recent API request using this key

Revoking API keys

If an API key is compromised or no longer needed:
  1. Go to Settings > API Keys in your dashboard
  2. Find the key you want to revoke
  3. Click Revoke
  4. Confirm the action
Revoking an API key cannot be undone. Any applications using the revoked key will immediately lose access.

Security best practices

Store keys securely

Store API keys in environment variables or secure secret management systems, never in your source code:
.env
CASHCAT_API_KEY=cc_live_YOUR_API_KEY

// Good: Load from environment
const apiKey = process.env.CASHCAT_API_KEY;

// Bad: Hardcoded in source
const apiKey = 'cc_live_YOUR_API_KEY';

Use separate keys per environment

Create different API keys for development, staging, and production environments. This allows you to revoke keys without affecting other environments.

Rotate keys regularly

Periodically create new API keys and revoke old ones, especially for production environments.

Monitor key usage

Check the “Last used at” timestamp in your dashboard to identify unused or potentially compromised keys.

Authentication errors

The API returns specific error responses for authentication failures:

Missing authorization header

{
  "error": {
    "code": "unauthorized",
    "message": "Missing or malformed Authorization header",
    "details": null
  }
}
HTTP Status: 401 Unauthorized

Invalid API key

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid API Key",
    "details": null
  }
}
HTTP Status: 401 Unauthorized This error occurs when:
  • The API key doesn’t exist
  • The API key has been revoked
  • The API key format is invalid

How API keys work

When you create an API key:
  1. A secure random key is generated with the cc_live_ prefix
  2. The key is hashed using SHA-256 before storage
  3. Only the hash is stored in the database for security
  4. The raw key is shown to you once and cannot be recovered
When you make an API request:
  1. The API hashes your provided key
  2. The hash is compared against stored hashes in the database
  3. If a match is found, the request is authenticated as your user
  4. The “last used at” timestamp is updated asynchronously

Build docs developers (and LLMs) love

Get started for freeTalk to us