Protected Simfy Business API requests should be made from your backend using API keys issued by Simfy Business. Your app should never call protected Simfy Business endpoints directly from a browser or mobile app. Your backend signs the request and sends it to Simfy Business. API-key requests operate in the business account context for the issued key.

Required headers

x-api-key: YOUR_SIMFY_BUSINESS_API_KEY
x-timestamp: 2026-05-22T00:00:00.000Z
x-signature: GENERATED_SIGNATURE

Where requests should be signed

Sign requests on your backend only. Do not put API keys, signing secrets, PINs, passwords, or authorization values in frontend code, mobile apps, analytics tools, public Postman workspaces, or logs.