Authentication

Every request to the Pathao Parcel Business API must include a valid API key. The key identifies your business account and is used to enforce rate limits, permissions, and billing.

API Key Setup

You receive your API key when onboarding as a Pathao Parcel business partner. Two keys are issued:

Sandbox key -- prefixed with sandbox_key_test_. Use this for development and testing.
Production key -- prefixed with live_key_. Use this for real deliveries.

Store your API key in an environment variable. Never hard-code it in client-side code or commit it to version control.

.env

# .env (do NOT commit this file)
PATHAO_API_KEY=sandbox_key_test_1234567890

Making Authenticated Requests

Pass your API key in the X-API-Key HTTP header on every request. The API returns 401 Unauthorized if the header is missing or the key is invalid.

curl -X GET https://api.pathao.com/v1/business/orders \
  -H "X-API-Key: your_api_key"

Environments

Pathao Parcel exposes two environments. Use the sandbox for development and switch to production when you are ready to go live.

Environment	Base URL	Key Prefix
Production	`https://api.pathao.com`	`live_key_`
Sandbox	`https://sandbox.pathao.com`	`sandbox_key_test_`

Key Rotation

You can rotate your API key at any time from the partner dashboard. When you rotate a key:

A new key is generated immediately.
The old key remains valid for 24 hours to give you time to update your integration.
After the grace period, the old key is permanently revoked.

We recommend rotating your production key every 90 days as a security best practice.

Security Best Practices

Use environment variables. Never hard-code API keys in source files.
Keep keys server-side. Never expose API keys in client-side JavaScript, mobile apps, or public repositories.
Rotate regularly. Rotate production keys every 90 days and immediately if you suspect a leak.
Use separate keys per environment. Use your sandbox key for development and testing. Use your production key only in production.
Monitor usage. Check the partner dashboard for unexpected spikes in API usage that could indicate a compromised key.
Restrict access. Only share API keys with team members who need them. Use your organization's secrets manager when possible.

API Key Setup

You receive your API key when onboarding as a Pathao Parcel business partner. Two keys are issued:

Sandbox key -- prefixed with sandbox_key_test_. Use this for development and testing.

Production key -- prefixed with live_key_. Use this for real deliveries.

Store your API key in an environment variable. Never hard-code it in client-side code or commit it to version control.

.env

# .env (do NOT commit this file)
PATHAO_API_KEY=sandbox_key_test_1234567890

Environment

Base URL

Key Prefix

Production

https://api.pathao.com

live_key_

Sandbox

https://sandbox.pathao.com

sandbox_key_test_

Key Rotation

You can rotate your API key at any time from the partner dashboard. When you rotate a key:

A new key is generated immediately.

The old key remains valid for 24 hours to give you time to update your integration.

After the grace period, the old key is permanently revoked.

We recommend rotating your production key every 90 days as a security best practice.

Security Best Practices

Use environment variables. Never hard-code API keys in source files.

Keep keys server-side. Never expose API keys in client-side JavaScript, mobile apps, or public repositories.

Rotate regularly. Rotate production keys every 90 days and immediately if you suspect a leak.

Use separate keys per environment. Use your sandbox key for development and testing. Use your production key only in production.

Monitor usage. Check the partner dashboard for unexpected spikes in API usage that could indicate a compromised key.

Restrict access. Only share API keys with team members who need them. Use your organization's secrets manager when possible.