Skip to main content

What Is a Static Token?

Revolv3 authenticates requests using the x-revolv3-token header. The value you send in this header is your static token. In the Revolv3 portal, you create and manage static tokens under Settings → Integration Profile → Developer Static Tokens. Older documentation may refer to this value as an API key or merchant access token, but the credential itself is the same static token used in x-revolv3-token.

Using the x-revolv3-token Header

Every API request must include your token in the x-revolv3-token header. This header tells Revolv3 who you are and that you’re authorized to make the request.

How to Get Your Token

You can obtain your x-revolv3-token in two ways:
  1. Log in to the Revolv3 Portal (or Sandbox Portal for testing)
  2. Navigate to Settings → Integration Profile
  3. Find your Developer Static Token
  4. Copy it securely (never share it or commit it to version control)
Finding your token in the portal

2. Revolv3 Support

If you need assistance or can’t find your token in the portal, log into the portal and use the help icon to submit a support ticket.

Using Your Token in API Requests

Include your token in the x-revolv3-token header on every API request. Here’s how:

Required Headers

Header KeyValueDescription
x-revolv3-tokenYour static tokenRequired - Credential used for authentication
Content-Typeapplication/jsonRequired - Indicates JSON request body
Acceptapplication/jsonRecommended - Requests JSON response format
Note: Headers like Content-Length and Host are automatically calculated by your HTTP client—you don’t need to set them manually. For a canonical list and additional examples, see Required HTTP Headers.

Example: Using curl

Replace {{Api Root}} with your environment’s base URL:
  • Production: api.revolv3.com
  • Sandbox: api-sandbox.revolv3.com
Replace [your-static-token] with your actual token. 
curl --location 'https://{{Api Root}}/api/payments/sale' \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  --header 'x-revolv3-token: [your-static-token]' \
  --data '{
    "Invoice": {
      "Amount": { "value": 10.00 }
    },
    "PaymentMethod": {
      "CreditCard": {
        "PaymentAccountNumber": "4111111111111111",
        "ExpirationDate": "1230",
        "SecurityCode": "123"
      }
    }
  }'

Example: Using Postman

In Postman, add the x-revolv3-token header in the Headers tab: Postman example showing the x-revolv3-token header
  1. Go to the Headers tab
  2. Add a new header:
    • Key: x-revolv3-token
    • Value: Your static token
  3. Also add Content-Type: application/json

Example: API Request Structure

Here’s what a complete request looks like: Endpoint: POST {{Api Root}}/api/Customers Replace {{Api Root}} with:
  • api.revolv3.com for production
  • api-sandbox.revolv3.com for sandbox
Headers: 
x-revolv3-token: your-unique-static-authentication-token
Content-Type: application/json
Accept: application/json
Body: 
{
  "FirstName": "John",
  "LastName": "Doe"
}

Legacy Bearer Token (Deprecated)

Legacy only: Revolv3 still supports a bearer-token authentication flow for older integrations, but new integrations should not use it. If you maintain a legacy integration and need details, contact Revolv3 support via the portal.

Security Best Practices

  • Store tokens securely: Use environment variables or a secrets manager (never hardcode)
  • Use different tokens: Separate tokens for sandbox and production
  • Rotate regularly: Change your tokens periodically for better security
  • Server-side only: Never use tokens in browser or mobile app code
  • Don’t commit tokens: Never commit tokens to version control
  • Don’t log tokens: Never log or display full tokens in your application
For detailed security guidance, see Security Best Practices.

Next Steps