Skip to main content
API v2 is deprecated. This version will be discontinued on December 31, 2026. Please migrate to API v3 for new features, improved security, and continued support.

Authentication

All API requests to FYATU require authentication using two headers. This ensures that only authorized applications can access your business data and perform card operations.

Required Headers

Every request must include these two headers:
HeaderDescriptionExample
Business-IDYour unique business identifierBUS_abc123def456
AuthorizationBearer token with your API keyBearer sk_live_xxxxx
Example Request
curl -X GET "https://api.fyatu.com/api/v2/account/status" \
  -H "Business-ID: BUS_abc123def456" \
  -H "Authorization: Bearer sk_live_your_api_key"

Getting Your Credentials

  1. Log into your Business Dashboard
  2. Navigate to API Keys & Credentials tab
  3. Copy your Business ID and API Key
API Keys & Credentials Dashboard
Your Business ID is permanent and cannot be changed. Your API Key is only shown once when generated - store it securely!
Never expose your API keys in client-side code, public repositories, or logs.API keys grant full access to your business account and all its operations.

IP Whitelisting (Optional)

For additional security, you can restrict API access to specific IP addresses:
  1. Go to Settings > API > Security
  2. Add your server’s IP addresses
  3. Only requests from whitelisted IPs will be accepted
Whitelist Example
{
  "whitelistedIPs": [
    "203.0.113.50",
    "203.0.113.51",
    "2001:db8::1"
  ]
}
IP whitelisting is optional but recommended for production environments.

Authentication Errors

Status CodeErrorSolution
401Missing credentialsInclude both Business-ID and Authorization headers
401Invalid Business IDVerify your Business ID is correct
401Invalid API KeyCheck your API key and ensure it’s active
401IP not authorizedAdd your IP to the whitelist in dashboard
401Business not activeContact support to activate your account
Error Response Example
{
  "status": "failed",
  "statusCode": 401,
  "errors": true,
  "message": "Unauthorized: Missing credentials",
  "data": []
}

Best Practices

Use environment variables or a secrets manager. Never hardcode API keys in your source code.
.env file
FYATU_BUSINESS_ID=BUS_abc123def456
FYATU_API_KEY=sk_live_your_api_key
Use sk_test_ keys for development and sk_live_ keys only in production.
Generate new API keys periodically and deprecate old ones. You can have multiple active keys during rotation.
Check your dashboard regularly for unusual activity or unexpected API calls.

Code Examples

// Using environment variables
const BUSINESS_ID = process.env.FYATU_BUSINESS_ID;
const API_KEY = process.env.FYATU_API_KEY;

async function fyatuRequest(endpoint, options = {}) {
  const response = await fetch(`https://api.fyatu.com/api/v2${endpoint}`, {
    ...options,
    headers: {
      'Business-ID': BUSINESS_ID,
      'Authorization': `Bearer ${API_KEY}`,
      'Content-Type': 'application/json',
      ...options.headers
    }
  });

  return response.json();
}

// Usage
const balance = await fyatuRequest('/account/balance');