Skip to content
You are offline. Some features may be unavailable.

Authentication

All API requests are authenticated using API keys. Keys are tied to a specific business and carry a set of scopes that control what the key can access.

API keys

Generate keys from Dashboard → Developer API. You can create up to 10 active keys per business. The full key is shown only once at creation — store it securely.

Keys are prefixed with ew_live_ for production and ew_test_ for test mode.

Sending the key

Pass your key in the Authorization header as a Bearer token on every request.

Authorization: Bearer ew_live_xxxxxxxxxxxxxxxxxxxx
Never expose your API key in client-side code or public repositories. Use environment variables and server-side requests only.

Scopes

When creating a key you select which scopes it has. A request to an endpoint that requires a scope your key doesn't have returns 403 Forbidden.

ScopeDescription
invoices:readRead invoices and payment status
invoices:writeCreate, update, send, and delete invoices
contracts:readRead contracts and proposals
clients:readRead client records
clients:writeCreate, update, and delete clients
payments:readRead payment records
expenses:readRead expenses
expenses:writeCreate and update expenses

Key rotation

You can rotate a key from the dashboard. Rotating immediately invalidates the old key and issues a new one with the same name and scopes. Plan for zero-downtime rotation by updating your environment variable before revoking the old key.

Idempotency

Pass an Idempotency-Key header on POST requests to safely retry without creating duplicates. Use a UUID generated per request attempt.

Idempotency-Key: 550e8400-e29b-41d4-a716-446655440000

If a request with the same key is received within 24 hours, the original response is returned without re-executing the operation.