Skip to main content

What Is a Static Token?

Revolv3 authenticates requests using a header called x-revolv3-token. The value you send in this header is your static token (in some older docs you may see it called an API key or merchant access token). In the Revolv3 portal, you manage this value under Settings → Integration Profile → Developer Static Tokens.
Think of your static token as a password for server-to-server communication.
Purpose of the Static Token
  • Authentication: Verifies that the request is coming from an authorized merchant account
  • Authorization: Determines which API operations are permitted
  • Account Binding: Links each request to a specific merchant profile
All API requests must include a valid static token. Requests without it will be rejected.

How to Obtain Your Static Token

Revolv3 provides separate environments for testing and live transactions. In the portal you may see two credential types:
  1. Developer Static Tokens (recommended)
  2. Developer API Keys (legacy / deprecated)
For new integrations, use a Developer Static Token and send it in the x-revolv3-token header on every request. Important:
Sandbox and Production API keys are completely separate and are not interchangeable. Never use a sandbox key in production, or vice versa. They won’t work and could cause authentication errors.
  1. Log in to the appropriate portal:
    • Sandbox: portal-sandbox.revolv3.com
    • Production: portal.revolv3.com
  2. Navigate to:
    • Settings → Integration Profile
  3. Locate the section:
    • Developer Static Tokens
  4. Click Create Static Token and copy the value securely.
Important: Sandbox and production each have their own static tokens. Always use a sandbox token in sandbox and a production token in production.
When to Use Developer Static Tokens are recommended for:
  • All new integrations
  • Backend services that call Revolv3 directly
  • Environments where you control server-side secrets

Option 2: Developer API Keys (Legacy)

Developer API Keys are part of a legacy authentication flow that exchanges the key for a short‑lived access token (used in an Authorization: Bearer … header).
  • This mechanism is deprecated and should be used only for existing integrations that already rely on it.
  • For details or migration guidance, contact Revolv3 support via the portal help icon.

Option 3: Contact Revolv3 Support

If you can’t find your static token in the portal or need assistance, log into the portal and use the help icon to submit a support ticket.

Security Recommendation

For new integrations, Revolv3 recommends using Developer Static Tokens (sent in the x-revolv3-token header). If you maintain a legacy integration that uses Developer API Keys, plan to migrate to static tokens with Revolv3’s guidance. Strictly Prohibited
  • Embedding static tokens or API keys in:
    • Frontend code
    • Mobile applications
    • Public repositories
    • URLs
  • Logging full static tokens or API keys
  • Sharing credentials via email or chat
For detailed security guidance, see Security Best Practices.

How to Use Your Static Token

Once you have your static token, include it in the x-revolv3-token header on every API request.

Required Headers

Every API request needs these headers:
HeaderValueDescription
x-revolv3-tokenYour static tokenRequired - Your authentication credential
Content-Typeapplication/jsonRequired - For POST/PUT requests with JSON body
Acceptapplication/jsonRecommended - Requests JSON response format

Example Request

Here’s how to include your static token in a request: 
curl --location 'https://api-sandbox.revolv3.com/api/payments/sale' \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  --header 'x-revolv3-token: [your-static-token]' \
  --data '{
    "Invoice": {
      "Amount": { "value": 10.00 }
    }
  }'
Replace [your-static-token] with your actual static token. Use the sandbox API host for testing and switch to the production host (api.revolv3.com) when you’re ready to go live.

Next Steps