Skip to main content
ParseTx authenticates every request using an API key that you generate from the dashboard. There are no OAuth flows, no rotating tokens, and no session management to worry about — just a single key passed as an HTTP header on every call. This guide explains how to get your key, how to send it, and how to handle it securely so you’re never caught off guard by an unexpected 401.

Getting an API Key

To generate a key, visit https://parsetx.dev/#pricing and click Get API Key. During sign-up you’ll provide:
  • Your email address — used for billing notifications and account recovery.
  • A credit card — required to prevent automated abuse of the API. You are only charged for actual usage at $0.005 per request. There are no monthly fees and no charges for simply having an account.
Once the sign-up flow completes, your key is displayed immediately: 
pt_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Your API key is shown exactly once. ParseTx never stores the raw key value — only a SHA-256 hash of it. If you lose your key, you must generate a new one from the dashboard. There is no way to recover the original.

Sending Your API Key

ParseTx supports two authentication methods. Both are equivalent — use whichever fits your stack. Pass your key in the X-API-Key header. This is the preferred method and what all ParseTx documentation examples use. 
curl -X POST https://api.parsetx.com/v1/enrich \
  -H "X-API-Key: pt_live_yourkeyhere" \
  -H "Content-Type: application/json" \
  -d '{"transactions": ["UBER * EATS PENDING"]}'

Method 2: Bearer Token

Alternatively, pass your key as a Bearer token in the Authorization header. This is useful when integrating with tools or frameworks that expect standard OAuth-style headers. 
curl -X POST https://api.parsetx.com/v1/enrich \
  -H "Authorization: Bearer pt_live_yourkeyhere" \
  -H "Content-Type: application/json" \
  -d '{"transactions": ["UBER * EATS PENDING"]}'
You cannot use both headers in the same request. If both are present, X-API-Key takes precedence.

Error Responses

When authentication fails, the API returns 401 Unauthorized. There are two distinct error messages: Missing key — returned when the X-API-Key header is absent or empty: 
{"error": "Missing API key. Provide your key via the X-API-Key header."}
Invalid or revoked key — returned when the key is present but does not match any active account: 
{"error": "Invalid or revoked API key."}
If you see the second error and your key was previously working, it may have been revoked from the dashboard. Generate a new key and update your environment configuration.

Security Best Practices

Use Environment Variables

Never hardcode your API key directly in source files. Store it as an environment variable and read it at runtime.
Set PARSETX_API_KEY=pt_live_... in your .env file (and add .env to your .gitignore). The ParseTx SDKs automatically read from this variable if no key is passed explicitly to the client constructor — so you can initialize the client with zero configuration in local development.
Here’s how this looks in practice: 
# .env (never commit this file)
PARSETX_API_KEY=pt_live_yourkeyhere
Node.js
import { ParseTxClient } from '@parsetx/sdk';

// Reads PARSETX_API_KEY from the environment automatically
const client = new ParseTxClient(process.env.PARSETX_API_KEY);
Python
import os
from parsetx import ParseTxClient

client = ParseTxClient(api_key=os.environ.get('PARSETX_API_KEY'))

Keep Keys Out of Version Control

Before committing code, double-check that your key is not embedded in:
  • Source files or configuration files checked into Git
  • Docker images or container build artifacts
  • Client-side JavaScript bundles served to browsers
  • Public API documentation or README examples
If you accidentally expose a key, revoke it immediately from the dashboard and generate a replacement.

How ParseTx Protects Your Key

On the server side, ParseTx applies the following protections:
  • SHA-256 hashing at ingestion — your raw API key is hashed immediately on arrival and the raw value is discarded. Only the hash is stored in the database, so a database breach cannot expose your key.
  • No recovery path — because the raw key is never persisted, there is no support escalation path that could be socially engineered to retrieve it. The only way to get a new key is through the dashboard with verified account access.
  • Revocation — you can invalidate a key at any time from the dashboard. Revoked keys return 401 immediately with no grace period.