Skip to main content

Environments

The API offers two environments: Sandbox and Production. The Sandbox environment is designed for testing and experimentation, letting you simulate API interactions without affecting real data. The Production environment handles live operations and requires verified credentials. Throughout this documentation, API endpoint references default to the Sandbox environment.

Sandbox

Production

Using and Managing Iron API Keys

To access the Iron API, you need to include a valid API key with each request. The API key acts as a unique identifier for secure communication between your application and the API.

Managing API Keys in the Partner Dashboard

You can create and manage API keys in the Partner Dashboard.
1

Log in to the Partner Dashboard

2

Navigate to Developer → API Keys

Creating an API Key

When creating a new API key, you need to provide the following details:
  • Role: Define the key’s permissions:
    • Read Only: Read-only access.
    • Read / Write: Read and write access.
  • Label: A descriptive name to help you identify the key, especially if you manage multiple keys.

Revoking an API Key

You can revoke an API key at any time through the Partner Dashboard.

Using an API Key

Once you’ve created an API key, include it in the X-API-Key header of each request.

Example Request

Here’s an example using curl to fetch a list of customers: 
curl --request GET \
     --url https://api.sandbox.iron.xyz/api/customers \
     --header 'X-API-Key: <your-api-key>' \
     --header 'Accept: application/json; charset=utf-8'
Include the X-API-Key header in every request. Replace <your-api-key> with the key you generated in the Partner Dashboard.

Rate Limiting

Iron implements multiple layers of rate limiting for fair usage and system stability. This includes per-API-key limits for authenticated requests as well as infrastructure-level protections against unauthorized access attempts and abuse. When rate limits are exceeded, the API returns an HTTP 429 Too Many Requests status code. Your application should handle this response appropriately, typically by implementing exponential backoff retry logic. If you have specific requirements or anticipate high-volume usage, contact our team to discuss your needs.

Errors

StatusCodeCause
401unauthorizedMissing or invalid X-API-Key
429rate_limitedRate limit exceeded
Example error: 
{
  "error": {
    "code": "unauthorized",
    "message": "The API key is missing or invalid.",
    "request_id": "req_8f9a8c7d8b1"
  }
}

MCP Server

https://www.npmjs.com/package/@ironxyz/mcp-server Some examples of what you can do with it:
  1. Cursor automatically locates the Iron.xyz MCP server.
  2. It retrieves a summary list of all available endpoints and identifies the correct one to use.
  3. It fetches the complete OpenAPI specification for the selected endpoint.
  4. It implements a full Golang backend based on that spec.
  5. It makes a real API call to the sandbox endpoint and returns the live response within the Cursor chat.