Authentication
All API requests are authenticated using API keys. Keys are tied to a specific business and carry a set of scopes that control what the key can access.
API keys
Generate keys from Dashboard → Developer API. You can create up to 10 active keys per business. The full key is shown only once at creation — store it securely.
Keys are prefixed with ew_live_ for production and ew_test_ for test mode.
Sending the key
Pass your key in the Authorization header as a Bearer token on every request.
Authorization: Bearer ew_live_xxxxxxxxxxxxxxxxxxxx
Scopes
When creating a key you select which scopes it has. A request to an endpoint that requires a scope your key doesn't have returns 403 Forbidden.
| Scope | Description |
|---|---|
invoices:read | Read invoices and payment status |
invoices:write | Create, update, send, and delete invoices |
contracts:read | Read contracts and proposals |
clients:read | Read client records |
clients:write | Create, update, and delete clients |
payments:read | Read payment records |
expenses:read | Read expenses |
expenses:write | Create and update expenses |
Key rotation
You can rotate a key from the dashboard. Rotating immediately invalidates the old key and issues a new one with the same name and scopes. Plan for zero-downtime rotation by updating your environment variable before revoking the old key.
Idempotency
Pass an Idempotency-Key header on POST requests to safely retry without creating duplicates. Use a UUID generated per request attempt.
Idempotency-Key: 550e8400-e29b-41d4-a716-446655440000
If a request with the same key is received within 24 hours, the original response is returned without re-executing the operation.