API Access
Info: API access is available on the Business plan.
API keys
API keys can be generated in the organization settings. Each key is scoped to a single organization and grants programmatic access to the Rekivo API.
Warning: Keep your API keys secret. Do not share them in client-side code or public repositories. Rotate keys immediately if they are compromised.
Authentication
Include your API key in the Authorization header of every request:
Authorization: Bearer rek_your_api_key_here
All API responses are JSON. Errors return a { "message": "..." } body with an appropriate HTTP status code.
Granular scopes
When creating an API key, you can restrict its permissions to specific scopes. Keys with no scopes assigned have full access (backwards compatible).
| Scope | Description |
|---|---|
| invoices:read | List invoices, view details, download XML/PDF |
| invoices:write | Update metadata, change workflow status, add comments |
| invoices:delete | Delete invoices |
| upload:write | Upload new invoices |
| export:read | List exports and download archives |
| export:write | Create new exports |
Tip: Use the principle of least privilege — create keys with only the scopes your integration needs. For example, a read-only dashboard integration only needs
invoices:read.Available endpoints
Invoices
GET
/api/invoicesList all invoices (paginated)GET
/api/invoices/:idGet invoice detailsGET
/api/invoices/:id/xmlDownload original XMLGET
/api/invoices/:id/pdfDownload rendered PDFPATCH
/api/invoices/:id/metadataUpdate invoice metadataDELETE
/api/invoices/:idDelete an invoiceStatus changes
POST
/api/invoices/:id/approveApprove invoicePOST
/api/invoices/:id/rejectReject invoicePOST
/api/invoices/:id/mark-paidMark as paidPOST
/api/invoices/:id/archiveArchive invoiceUpload
POST
/api/uploadUpload a new invoice (multipart form)Export
GET
/api/exportList recent exportsPOST
/api/exportCreate a new exportGET
/api/export/:id/downloadDownload export archiveRate limiting
API requests are rate-limited per key. If you exceed the limit, you will receive a 429 Too Many Requests response. The response includes Retry-After headers indicating when you can retry.
Error codes
| Status | Meaning |
|---|---|
| 400 | Bad request — invalid parameters |
| 401 | Unauthorized — missing or invalid API key |
| 403 | Forbidden — insufficient scopes or plan |
| 404 | Not found |
| 429 | Rate limit exceeded |
| 500 | Internal server error |