Apocor keys only
Exchange a
client_id + client_secret for a short-lived bearer token. That’s the only credential your services ever hold.Fully white-labeled
Responses expose Apocor resources only — no upstream provider names, ids, or keys ever leak to your app.
Consistent envelopes
Every resource response is wrapped in
{ "data": … }; every error is { "error": { "code", "message" } }.Interactive reference
Try any endpoint from the browser against your sandbox with your bearer token.
How it fits together
Base URLs
| Environment | Base URL |
|---|---|
| Sandbox | https://sandbox.apocor.ai |
| Production | https://api.apocor.com (coming soon) |
| Local | http://localhost:4000 |
Documentation map
| Section | Purpose |
|---|---|
| Quickstart | Authenticate and issue your first card |
| Authentication | API keys and bearer tokens |
| KYC integration | Hosted verification, BYOK share tokens, issuer readiness |
| Applicants & Cards | Core objects in the card flow |
| Responses & Errors | Envelope shapes and error codes |
| API Reference | Card integration endpoints with a live playground |