Skip to main content
The Developer API authenticates every request via the X-API-Key header. There are no OAuth flows, bearer tokens, or session cookies on this surface.

Creating an API key

  1. Sign in to VoucherGrid.
  2. Open Settings → Account → API Keys.
  3. Click Create key, choose the scopes you need, and copy the full key value. The full key is shown once – store it in a secret manager immediately.

Key format

API keys are issued in two formats:
PrefixModeUse
vg_live_LiveProduction traffic
vg_test_TestTest-mode traffic and rehearsals
The first 12 characters (the prefix) appear in the dashboard for identification – the rest of the key is never recoverable after creation.

Sending the key

Include the key in the X-API-Key header on every request:
curl -H "X-API-Key: vg_live_EXAMPLEdoNotUseThis123456" \
  https://api.vouchergrid.com/api/v1/developer/vouchers
await fetch("https://api.vouchergrid.com/api/v1/developer/vouchers", {
  headers: {
    "X-API-Key": process.env.VOUCHERGRID_API_KEY!,
  },
});

Authentication failures

StatusReason
401X-API-Key header missing
401API key not recognised
401API key has been revoked
401API key has expired
403Tenant account is disabled
403Tenant subscription is not active Professional
403Key is location-scoped and the request targets a different scope
403Key is missing one of the scopes required by the endpoint

Tenant scoping

Every API key belongs to exactly one tenant. All reads and writes performed via the key are automatically scoped to that tenant – you cannot read or modify another tenant’s data, and there is no tenant ID parameter to override.

Location-scoped keys

A key may optionally be scoped to a single location. When that is the case:
  • Voucher list/get/redeem operations only see vouchers at that location.
  • Voucher creation forces the new voucher to that location. Passing a different location_id in the request body returns 403 Forbidden.