Authentication
The IDeliver API uses API keys for machine-to-machine integrations. All requests must include your API key in the Authorization header.
API keys
Your API keys are available in the merchant dashboard under Settings → API Keys.
| Key prefix | Environment |
|---|---|
ilv_test_… | Sandbox — safe for development and testing |
ilv_live_… | Production — real orders and real riders |
Send your key with every request:
curl https://api.ideliver.ng/v1/orders \
-H "Authorization: Bearer ilv_test_YOUR_KEY_HERE"import Ideliver from "@ideliver/node";
const client = new Ideliver({ apiKey: "ilv_test_YOUR_KEY_HERE" });Scopes
Each API key is scoped to limit what it can do. When creating a key, select only the scopes your integration needs.
| Scope | What it allows |
|---|---|
orders:read | Retrieve and list orders |
orders:write | Create new orders |
webhooks:manage | Register and update your outbound webhook URL |
keys:manage | Create and revoke other API keys |
Attempting an action without the required scope returns HTTP 403.
Security best practices
- Never expose your API key in client-side code (browser JavaScript, mobile apps).
- Rotate keys immediately if you suspect a leak — use the dashboard to revoke and re-create.
- Use the narrowest scope — an order ingest integration only needs
orders:write. - Store keys in environment variables, never hardcoded in source files.
Sandbox vs Production
Sandbox keys (ilv_test_…) and production keys (ilv_live_…) both hit the same API hostname (api.ideliver.ng) but operate in isolated environments. Sandbox orders do not dispatch real riders or charge your wallet.
When you are ready to go live, create a production key and update your environment variable.
Unauthenticated requests
Requests without a valid API key return:
{
"error": "unauthorized",
"message": "Missing or invalid API key."
}Status code: HTTP 401.