Authentication

Every request to the Geldstuck API is authenticated with an API key pair. Every request to a tenant-scoped endpoint must include your API key pair:

Header	Value
`x-api-key`	Your publishable key, e.g. `pk_live_...`
`x-api-secret`	Your secret key, e.g. `sk_live_...`
`Content-Type`	`application/json`

The tenant is resolved automatically from the key pair - you never pass tenantId in the URL or body. See Authentication concepts for the full model - key types, rotation, and SSO.

Example

curl https://api.geldstuck.com/v1/tenants/me \
  -H "x-api-key: pk_live_51H..." \
  -H "x-api-secret: sk_live_51H..."

A successful request returns 200 with the tenant profile:

{
  "tenantId": "tnt_01HX3Z8MQW...",
  "name": "Acme Escrow",
  "status": "active",
  "createdAt": "2026-04-22T09:12:44.000Z"
}

Errors

Status	Code	Cause
`401`	`key_missing`	Both headers must be present.
`401`	`key_invalid`	Key pair doesn’t match an active key.
`401`	`key_revoked`	Key was revoked. Use a new one.
`403`	`key_forbidden`	Key lacks permission for this action.

Introduction

Tenants

API keys

Users

KYC

Source of funds

Transactions

Document review

Webhook endpoints

Payments

Example

Errors

Introduction

Tenants

API keys

Users

KYC

Source of funds

Transactions

Document review

Webhook endpoints

Payments

​Example

​Errors

Example

Errors