Skip to main content

API Keys

All requests to the M2M Partner API require authentication using an API key. You can manage your API keys in the Partner Portal.

Key format

API keys follow a specific format that indicates the environment:
PrefixEnvironmentExample
m2m_test_Sandboxm2m_test_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
m2m_live_Productionm2m_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
API keys are shown only once when created. Store them securely - you cannot retrieve the full key later.

Using your API key

Include your API key in the X-API-Key header for all requests: 
curl -X POST https://api.m2m.leapfinancial.com/partner/links \
  -H "X-API-Key: m2m_live_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{"referenceId": "user_123"}'

Managing API keys

From the Partner Portal, you can:
  • Create new keys - Generate additional keys for different services or environments
  • Revoke keys - Immediately invalidate a compromised key
  • View key prefixes - See which keys are active (full keys are never shown again)
  • Track usage - Monitor when each key was last used
Create separate API keys for different services or environments. This makes it easier to rotate keys without disrupting all integrations.

Authentication errors

When authentication fails, you’ll receive one of these error responses:

Missing API key

{
  "code": "UNAUTHORIZED",
  "message": "Missing authentication. Provide X-API-Key or Bearer token."
}

Invalid or revoked key

{
  "code": "INVALID_API_KEY",
  "message": "Invalid or revoked API key"
}

Suspended partner

{
  "code": "PARTNER_SUSPENDED",
  "message": "Partner account is suspended or not found"
}

Webhook authentication

When M2M sends webhooks to your endpoint, each request includes a signature so you can verify it came from M2M.

Webhook headers

Every webhook includes these headers:
HeaderDescription
X-M2M-SignatureHMAC-SHA256 signature (format: sha256=<hex>)
X-M2M-TimestampUnix timestamp when the webhook was sent
X-M2M-EventEvent type (e.g., link.opened)

Webhook secret

Your webhook secret is available in the Partner Portal under webhook settings. The secret format is: 
whsec_<48_hex_characters>
Keep your webhook secret secure. If compromised, regenerate it immediately in the Partner Portal.

Verifying signatures

See the Webhook Security guide for complete verification examples in multiple languages.

Security best practices

  • Never commit API keys to version control
  • Use environment variables or a secrets manager
  • Restrict access to keys on a need-to-know basis
  • Use m2m_test_* keys in development and staging
  • Use m2m_live_* keys only in production
  • Never use production keys for testing
  • Create a new key before revoking the old one
  • Update your services to use the new key
  • Revoke the old key once migration is complete
  • Track API usage patterns
  • Set up alerts for unusual activity
  • Review webhook delivery logs regularly
  • Always verify the X-M2M-Signature header
  • Check the timestamp to prevent replay attacks
  • Reject webhooks with invalid signatures

Next steps

Quick Start

Create your first magic link.

Webhook Security

Implement signature verification.