Qismah uses API tokens for public API access. A token belongs to one account and can access the same ledgers that account can access.
API token creation and API requests require Qismah Plus.
Create a token
Open Qismah on iOS, then go to:
Create a token, copy it once, and store it securely.
Send a token
Send tokens with the Authorization header:
curl https://qismah.app/api/public/v1/me \
-H "Authorization: Bearer qpk_your_token"
x-api-key is also supported for tools that cannot set bearer tokens:
curl https://qismah.app/api/public/v1/me \
-H "x-api-key: qpk_your_token"
Token lifecycle
Tokens can be revoked from the app. Expired, revoked, missing, or mistyped tokens return 401 Unauthorized.
Do not put API tokens in mobile apps, frontend JavaScript, screenshots, or public repositories.
