Skip to main content

Required HTTP Headers

This page documents the HTTP headers you must include when calling the Revolv3 API. Keep these headers consistent across environments (sandbox vs production) and never expose your static token in client-side code.

Required headers

  • Content-Type: application/json
    • Indicates JSON request body for POST/PUT endpoints.
  • x-revolv3-token: <your-static-token>
    • Your Revolv3 static token used for authentication. Must be supplied on every API request. Store this securely on the server and rotate periodically.
  • Accept: application/json (recommended)
    • Explicitly request JSON responses.

Example: payments sale (curl)

Replace [your-token] and environment URL as appropriate. 
curl --location 'https://api-sandbox.revolv3.com/api/payments/sale' \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  --header 'x-revolv3-token: [your-token]' \
  --data '{
    "NetworkProcessing": {
      "processingType": "initialRecurring",
      "originalNetworkTransactionId": null
    },
    "includeRawProcessorResponse": true,
    "CustomerId": null,
    "PaymentMethod": {
      "BillingAddress": {
        "AddressLine1": "123 Main St",
        "City": "Los Angeles",
        "State": "CA",
        "PostalCode": "90210",
        "Country": "USA"
      },
      "BillingFirstName": "Joe",
      "BillingLastName": "Smith",
      "CreditCard": {
        "PaymentAccountNumber": "4111111111111111",
        "ExpirationDate": "1130",
        "SecurityCode": "123"
      }
    },
    "Invoice": {
      "MerchantInvoiceRefId": "ABC12345DProbVs1",
      "Amount": { "value": 11.13 }
    }
  }'

Common errors & troubleshooting

  • 401 Unauthorized
    • Cause: missing or invalid x-revolv3-token.
    • Fix: confirm token value, ensure token matches environment (sandbox vs production), and send header exactly as x-revolv3-token: <token>.
  • 415 Unsupported Media Type
    • Cause: missing or incorrect Content-Type.
    • Fix: set Content-Type: application/json.
  • 400 Bad Request (validation errors)
    • Cause: malformed JSON or missing required fields in body.
    • Fix: validate JSON payload and required fields.
  • “Attempted to perform an unauthorized operation”
    • Cause: token lacks permission for requested operation.
    • Fix: check token scope/permissions via the portal (use the help icon to submit a ticket) or use appropriate merchant account credentials.
When opening a support ticket (log into the portal and use the help icon), include: request timestamp, full request headers (server-side logs only) and request body (redact sensitive data).

Best practices

  • Never expose x-revolv3-token in browser or public client code. Use server-side proxies or functions.
  • Keep separate tokens and credentials for sandbox and production.
  • Rotate static tokens periodically and follow a staged rotation process (update server, test in sandbox, then rotate production).
  • Use Idempotency-Key for retryable payment requests where applicable.