Authentication

Every API request is authenticated with a bearer token. You mint that token from an API key, then send it as an Authorization header on each call.

1. Get your API key

Create and manage API keys in your Xental dashboard. Each key has a test or live mode and a client id + secret — the secret is shown once, so copy it immediately. (Account signup, onboarding, and key management all happen in the dashboard, not through the API.)

2. Exchange the key for a bearer token

Trade the client id + secret for a short-lived bearer token (valid ~1 hour).

cURL
curl -X POST "https://api.xental.online/api/v1/auth/token" \
  -H "Content-Type: application/json" \
  -d '{ "clientId": "xnt_test_...", "clientSecret": "sk_test_..." }'

3. Call the API with the token

Send the token as a bearer header on every request. Re-request a token when it expires.

cURL
curl "https://api.xental.online/api/v1/virtual-accounts/inv_001" \
  -H "Authorization: Bearer <API_TOKEN>"

Test vs live

A key's mode travels inside every token minted from it, so calls always run against the matching environment. A test key works immediately and moves no real money — build and verify against it with the sandbox simulator. A live key becomes available once your account is approved in the dashboard.

Errors

All errors are JSON problem details with a stable status and message: 401 unauthenticated (missing/expired token), 403 wrong plane or a live key on a sandbox-only tool, 404 not found, 409 conflict.