Skip to main content
The Payout API authenticates every request with an API key passed as a bearer token. Requests without a valid key return 401 Unauthorized.

Generate an API key

API keys are managed from your Karat dashboard under Settings. From there you can:
  • Generate a new key
  • View your existing keys
  • Revoke a key that may have been compromised
Your API key is shown only once at creation time. Copy it and store it somewhere secure immediately — you can’t retrieve it again later.

Authorize requests

Include your key in the Authorization header as a bearer token on every request: 
curl https://payouts.api.trykarat.com/recipients \
  -H "Authorization: Bearer YOUR_API_KEY"

Storing keys securely

  • Never commit API keys to source control or embed them in client-side code.
  • Load keys from environment variables or a secrets manager.
  • Use separate keys for sandbox and production.
  • Rotate keys periodically, and revoke any key that may be exposed.
Each key is scoped to the organization and user that created it. Revoking a key takes effect immediately for all future requests.