api_key security for /v1/request-money. You authenticate by sending your integrator secret on every protected request.
API key
| Item | Detail |
|---|---|
| Header | X-API-Key |
| Scope | Per environment (sandbox vs production). Use the key issued for the base URL you call. |
| Banrural sandbox host | https://banrural-request-api-sandbox.up.railway.app (versioned root: .../v1) |
Example
Error responses
| HTTP status | When it happens |
|---|---|
| 401 Unauthorized | Missing or invalid X-API-Key. |
| 403 Forbidden | POST when the request is blocked by screening (for example OFAC). |
| 404 Not Found | GET when the resource is not found for that referenceId (see OpenAPI for the error body). |
| 422 Unprocessable Entity | Validation failures on POST or invalid referenceId on GET (shape and rules as documented in OpenAPI). |
Do not log secrets
Do not log secrets
Strip or redact
X-API-Key values from application logs, APM traces, and support bundles.Gateways and mTLS
Gateways and mTLS
Your host may terminate TLS, enforce IP allowlists, or require mutual TLS in front of this service. Treat this page as the contract for the application process; follow any additional controls your integration contact documents.
Rotating keys
Rotating keys
Plan a key rotation with your integration contact so you can switch
REQUEST_API_KEY and client headers without downtime, if your deployment supports overlapping keys.