Authentication
Authenticated endpoints require an API key passed via the Authorization header. Public endpoints (detect, formats) do not require authentication.
Bearer Token
Pass your API key in the Authorization header. Both the Bearer prefix and plain key formats are accepted.
| Header Format | Example |
|---|---|
Authorization: Bearer <key> | Bearer fc_live_abc123... |
Authorization: <key> | fc_live_abc123... |
Authenticated request
curl -X POST https://api.finconvert.dev/v1/parse \
-H "Authorization: Bearer fc_live_xxxxx" \ # Your API key
-F "file=@bank-statement.mt940" # Upload a local file Authenticated request
const form = new FormData()
form.append('file', fs.createReadStream('statement.mt940'))
const response = await fetch('https://api.finconvert.dev/v1/parse', {
method: 'POST',
headers: { 'Authorization': 'Bearer fc_live_xxxxx' },
body: form,
})
const data = await response.json() Authenticated request
import requests
with open('statement.mt940', 'rb') as f:
response = requests.post(
'https://api.finconvert.dev/v1/parse',
headers={'Authorization': 'Bearer fc_live_xxxxx'},
files={'file': f},
)
data = response.json()API Key Prefixes
FinConvert uses prefixed API keys to distinguish between production and sandbox environments.
| Prefix | Environment | Usage |
|---|---|---|
fc_live_ | Production | Live conversions, counted toward billing quota |
fc_test_ | Sandbox | Testing and development, separate rate limits and quotas |
Test vs Live Environments
Both key types hit the same API endpoint and produce real conversions. The difference is in how usage is tracked:
- Live keys — Usage counts toward your monthly billing quota. Rate limits depend on your plan.
- Test keys — Usage is tracked separately with a fixed limit of 200 conversions/month and 30 requests/60 seconds, regardless of your plan.
Same API, same results
Test keys produce the exact same conversion output as live keys. Use them during development
and in your CI/CD pipeline without worrying about billing.
Security Best Practices
Keep your API keys secret
Never expose API keys in client-side code, public repositories, or browser network requests.
API keys should only be used in server-side code.
- Store API keys in environment variables or a secrets manager
- Rotate keys immediately if you suspect they have been compromised
- Use test keys during development to avoid accidental billing charges
- Generate separate keys for different services or environments
Ready to get started?
Get your API key from the dashboard and start converting bank statements.
Go to Dashboard