Guide

Authentication

Learn how to authenticate with the Invoice-api.xhub API and securely manage your API keys.

API Key Types

Test Key

Sandbox
sk_test_...
  • Free for development
  • No real invoices
  • Full API functionality

Live Key

Production
sk_live_...
  • For production environment
  • Creates real e-invoices
  • Pay-per-use billing

Using the API Key

Send your API key in the Authorization header as a Bearer token with every request:

curl

bash
1curl -X POST https://service.invoice-api.xhub.io/api/v1/invoice/DE/XRECHNUNG/generate \
2  -H "Authorization: Bearer sk_live_abc123..." \
3  -H "Content-Type: application/json" \
4  -d '{"seller": {...}, "buyer": {...}, ...}'

Node.js

typescript
1const response = await fetch('https://service.invoice-api.xhub.io/api/v1/invoice/DE/XRECHNUNG/generate', {
2  method: 'POST',
3  headers: {
4    'Authorization': 'Bearer ' + process.env.XHUB_API_KEY,
5    'Content-Type': 'application/json'
6  },
7  body: JSON.stringify(invoiceData)
8});

Important

Never send API keys in the query string or request body. Always use the Authorization header.

Security Best Practices

Use Environment Variables

Store API keys in environment variables, never in code.

Don't Commit

Add .env to .gitignore. Use Secret Manager in CI/CD.

Rotate Keys Regularly

Create new keys every 90 days and deactivate old ones.

Minimal Permissions

Use separate keys for different environments.

Example: .env

bash
1# .env
2XHUB_API_KEY=sk_live_abc123...
3 
4# Niemals committen!
5# Füge .env zu .gitignore hinzu

Rate Limits

API requests are limited based on your plan. When exceeded, you receive a 429 Too Many Requests error.

PlanRequests/MinuteBurst Limit
Free100/min10/sec
Starter500/min50/sec
Business2.000/min200/sec
EnterpriseUnlimitedCustom

Rate Limit Headers

Every response includes headers with your current limit status:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1705312800

Key Rotation

1

Create New Key

Create a new API key in the dashboard.

2

Update Deployment

Replace the old key in your application.

3

Delete Old Key

Deactivate the old key in the dashboard.

Auth Errors

401Unauthorized

API key is missing or invalid. Check the Authorization header.

403Forbidden

API key has no permission for this action or is deactivated.

429Too Many Requests

Rate limit exceeded. Wait and try again.

What's Next

Got your API key? Then create your first invoice.

Quickstart GuideCreator API