qk_live_ followed by 32 alphanumeric characters, and are created in the dashboard under Developers → API keys.
Sending your key
Use either header — they’re equivalent:Scopes
Each key carries one or both scopes, chosen at creation:| Scope | Grants |
|---|---|
| Write | POST /api/v1/intents — creating payment intents |
| Read | GET /api/v1/intents/{id} and GET /api/v1/intents — reading payments |
403 and a problem document such as "This API key lacks the Write scope." Grant only what an integration needs — a reporting job needs Read, not Write.
Keys are shown once
The full key appears only in the creation response. Qint stores a SHA-256 hash; the key list shows just a prefix (e.g.qk_live_x7k2) plus label, scopes and last-used time. If a key is lost, it cannot be recovered — create a new one.
Rotating keys
Rotation is zero-downtime because multiple keys can be active at once:- Create a new key with the same scopes.
- Deploy the new key to your systems.
- Revoke the old key in the dashboard (Developers → API keys → Revoke). Revocation is immediate — requests with a revoked key get
401.
Other requirements
- Your merchant account must be approved — keys of unapproved merchants are rejected.
- The API is rate limited; a
429response means back off and retry. Pair retries with idempotency keys so they’re always safe.
Related
API reference
Endpoints, schemas, and error shapes.
Webhook signatures
Webhooks use a separate
whsec_… secret — don’t mix them up.