BillClap uses API tokens for server-to-server authentication. Tokens are generated only from the BillClap application—not via a public API endpoint.
Generate your token
- Log in to app.billclap.com
- Select your business
- Go to Settings → API Integration
- Generate and copy your API token
Tokens can only be generated once per business. Store the token in a secrets manager or environment variable—never in client-side code.
Every API request must include:
x-api-token: <your-api-token>
Do not use Authorization: Bearer for API integration endpoints. The dedicated header is x-api-token.
Token lifecycle
| Property | Value |
|---|
| Generation | Once per business, from BillClap Settings |
| Validity | 365 days from generation |
| Scope | Tied to user_id + business_id |
| Plan requirement | API integration feature must be enabled |
How tokens are structured
When you generate a token in the BillClap app, the backend:
- Creates a JWT payload with
user_id, business_id, and type: "api_token"
- Signs it with
API_TOKEN_SECRET
- Wraps it in an outer encrypted JWT signed with
API_ENCRYPTION_SECRET
- Stores the encrypted token on the business record
When you call an API endpoint, the server:
- Verifies the outer JWT using
API_ENCRYPTION_SECRET
- Verifies the inner JWT using
API_TOKEN_SECRET
- Confirms
type === "api_token"
- Attaches
user_id and business_id to the request context
Error responses
| HTTP Status | Message | Cause |
|---|
401 | API token is required | Missing x-api-token header |
401 | Invalid token type | Token is not an API token |
401 | JWT error message | Expired, invalid, or tampered token |
200 | Plan permission error | Business plan does not include API integration |
Security best practices
- Store tokens in environment variables or a secrets manager — never in client-side code
- Rotate by contacting support if a token is compromised (regeneration is one-time only today)
- Use HTTPS for all requests
- Restrict token access to backend services only