> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iron.xyz/llms.txt
> Use this file to discover all available pages before exploring further.
# API Access
> Obtain and manage API keys for authenticating with the Iron API. Covers Sandbox and Production environments, key creation, and permissions.
## Environments
The API offers two environments: Sandbox and Production. The Sandbox environment is designed for testing and experimentation, letting you simulate API interactions without affecting real data. The Production environment handles live operations and requires verified credentials. Throughout this documentation, API endpoint references default to the Sandbox environment.
### Sandbox
* **API Base URL:** [https://api.sandbox.iron.xyz](https://api.sandbox.iron.xyz)
* **Partner Dashboard:** [https://app.sandbox.iron.xyz](https://app.sandbox.iron.xyz)
### Production
* **API Base URL:** [https://api.iron.xyz](https://api.iron.xyz)
* **Partner Dashboard:** [https://app.iron.xyz](https://app.iron.xyz)
## Using and Managing Iron API Keys
To access the Iron API, you need to include a valid API key with each request. The API key acts as a unique identifier for secure communication between your application and the API.
## Managing API Keys in the Partner Dashboard
You can create and manage API keys in the [Partner Dashboard](/partner-dashboard).
### Creating an API Key
When creating a new API key, you need to provide the following details:
* **Role**: Define the key's permissions:
* **Read Only**: Read-only access.
* **Read / Write**: Read and write access.
* **Label**: A descriptive name to help you identify the key, especially if you manage multiple keys.
### Revoking an API Key
You can revoke an API key at any time through the Partner Dashboard.
## Using an API Key
Once you’ve created an API key, include it in the `X-API-Key` header of each request.
### Example Request
Here’s an example using `curl` to fetch a list of customers:
```bash Bash theme={null}
curl --request GET \
--url https://api.sandbox.iron.xyz/api/customers \
--header 'X-API-Key: ' \
--header 'Accept: application/json; charset=utf-8'
```
Include the `X-API-Key` header in every request. Replace `` with the key you generated in the Partner Dashboard.
## Rate Limiting
Iron implements multiple layers of rate limiting for fair usage and system stability. This includes per-API-key limits for authenticated requests as well as infrastructure-level protections against unauthorized access attempts and abuse.
When rate limits are exceeded, the API returns an HTTP `429 Too Many Requests` status code. Your application should handle this response appropriately, typically by implementing exponential backoff retry logic.
If you have specific requirements or anticipate high-volume usage, contact our team to discuss your needs.
## Errors
| Status | Code | Cause |
| ------ | -------------- | ------------------------------ |
| 401 | `unauthorized` | Missing or invalid `X-API-Key` |
| 429 | `rate_limited` | Rate limit exceeded |
**Example error:**
```json theme={null}
{
"error": {
"code": "unauthorized",
"message": "The API key is missing or invalid.",
"request_id": "req_8f9a8c7d8b1"
}
}
```
## MCP Server
[https://www.npmjs.com/package/@ironxyz/mcp-server](https://www.npmjs.com/package/@ironxyz/mcp-server)
Some examples of what you can do with it:
1. Cursor automatically locates the Iron.xyz MCP server.
2. It retrieves a summary list of all available endpoints and identifies the correct one to use.
3. It fetches the complete OpenAPI specification for the selected endpoint.
4. It implements a full Golang backend based on that spec.
5. It makes a real API call to the sandbox endpoint and returns the live response within the Cursor chat.