API keys

API keys allow you to access your Passport account programmatically and integrate wallet passes into your applications. Each API key inherits the permissions of the user who created it, giving access to all of that user’s resources.

Creating an API key

You can create an API key by following these steps:

Go to settings

Go to Settings > API keys. Settings page with API tab highlighted

Create an API key

Click “Create API key” and give it a descriptive name. Create API key form

Store your API key

Once your API key is created, make sure to copy and store it in a safe place. You won’t be able to see it again for security reasons. If it gets lost, you can create a new one. Generated API key with copy button highlighted

Generated API key with copy button highlighted

Your API key grants full access to your Passport account. Keep it secure and never share it publicly.

Use your API key

Now that you have your API key, you can use it to access your account’s resources programmatically via any API request using the api-key header.

api-key: ub_live_xxxx

Example Usage

Include your API key in the api-key header:

curl -X GET 'https://api.ubpass.co/v1/wallet-pass' \
  -H 'api-key: YOUR_API_KEY_HERE'

Example with a Real Request

curl -X GET 'https://api.ubpass.co/v1/wallet-pass' \
  -H 'api-key: ub_live_abc123xyz456...' \
  -H 'Content-Type: application/json'

Authentication Errors

If your API key is missing, invalid, or malformed, you’ll receive authentication errors:

Missing API Key (401 Unauthorized)

When no API key is provided in the request headers, you’ll receive a 401 Unauthorized response indicating that authentication is required.

{
  "txId": "req-xxx",
  "timestamp": "2025-01-17T10:30:00Z",
  "errorCode": "UNAUTHORIZED", 
  "errorMessage": "Authentication required"
}

The exact error message may vary depending on the endpoint.

Invalid API Key (403 Forbidden)

When an invalid or malformed API key is provided, you’ll receive a 403 Forbidden response indicating that access is denied.

{
  "txId": "req-xxx",
  "timestamp": "2025-01-17T10:30:00Z",
  "errorCode": "FORBIDDEN",
  "errorMessage": "Access denied"
}

The exact error message may vary depending on the endpoint.

Best Practices

Secure Storage

Use environment variables in production
Never commit API keys to version control
Use different keys for development and production
Rotate keys regularly for security

Rate Limiting

API requests are rate limited to prevent abuse
Include proper error handling for 429 responses
Implement exponential backoff for retries
Cache responses when possible

Environment Setup Examples

// .env file
PASSPORT_API_KEY=ub_live_your_api_key_here

// app.js
const API_KEY = process.env.PASSPORT_API_KEY;

const response = await fetch('https://api.ubpass.co/v1/wallet-pass', {
  headers: {
    'api-key': API_KEY,
    'Content-Type': 'application/json'
  }
});

When you remove a user from your organization (or they leave your organization), all API keys associated with that user will stop working as well. Keep this in mind when managing users.

Getting Started

Passes

Push Notifications

Locations

Creating an API key

Example Usage

Example with a Real Request

Authentication Errors

Best Practices

Secure Storage

Rate Limiting

Environment Setup Examples

Getting Started

Passes

Push Notifications

Locations

​Creating an API key

​Example Usage

​Example with a Real Request

​Authentication Errors

​Best Practices

Secure Storage

Rate Limiting

​Environment Setup Examples

Creating an API key

Example Usage

Example with a Real Request

Authentication Errors

Best Practices

Environment Setup Examples