Skip to main content

Welcome

Our API is currently in Beta and is not yet available to the wider public. More functionality will be added in the near future as we continuously build out our API. If you’d like to request access, offer feedback, or have any inquiries about the API, don’t hesitate to contact us at [email protected].

Base URL

All requests are made against: 
https://api.slash.com

Authorization

Slash uses API Keys to authorize requests. If you have beta access to the API, you can create and revoke your API Keys in the dashboard for your organization. 
curl --url "https://api.slash.com${PATH}" \
  -H "X-API-Key: ${SLASH_API_KEY}"
Keys come in two flavors:
  • Legal-entity-scoped keys are pinned to a single legal entity. Minted from the dashboard under a specific entity; every request acts on that entity. Use these for server-to-server integrations against one entity.
  • User-scoped keys are pinned to a user and span every legal entity that user has access to. Use these to act as a specific user across one or more entities.
Every request made with a user-scoped key must include an x-legal-entity header naming the legal entity the request is operating on. The one exception is GET /legal-entity, which lists the entities the user can access — use it to discover the id you should send. 
curl --url "https://api.slash.com/transfers/book-transfer" \
  -H "X-API-Key: ${SLASH_API_KEY}" \
  -H "x-legal-entity: ${LEGAL_ENTITY_ID}" \
  -H "X-Idempotency-Key: $(uuidgen)" \
  -H "content-type: application/json" \
  -d '{"from":"sa_group_...","to":"sub_...","amountCents":1000}'
Requests without the header are rejected with 400. If the authenticated user does not have an active permission role on the supplied entity, the request is rejected with 403.

Idempotency

Write endpoints that move money or create resources accept an X-Idempotency-Key header. Replaying a request with the same key returns the original result; replaying with the same key but a different body returns 409 Conflict. Use a fresh UUID per logical operation. Endpoints that currently require an idempotency key:
  • POST /transfers/book-transfer
  • POST /transfer/virtual-account

Errors

Errors are returned as JSON with a consistent envelope: 
{
  "success": false,
  "message": "You must be logged in to do that. [4041-2121cyx]",
  "identifier": 4041,
  "rawStatus": 401,
  "displayType": "toast"
}
FieldDescription
messageHuman-readable explanation, suitable for surfacing to end users. The bracketed [<identifier>-<requestId>] suffix uniquely identifies the failure for support.
identifierStable numeric error code. Pair with rawStatus to branch programmatically.
rawStatusHTTP status of the response (mirrors the response status line).
displayTypeUI hint (toast, etc.) used by Slash’s own clients; safe to ignore.
successAlways false on errors.
Every response — success or failure — also carries an x-request-id header. Include it when reporting an issue. Common statuses:
StatusMeaning
400 Bad RequestMalformed body, missing required field, or missing x-legal-entity on a user-scoped key.
401 UnauthorizedMissing or invalid API key.
403 ForbiddenAuthenticated, but the user/entity lacks permission for the resource.
404 Not FoundThe referenced resource does not exist (or is not visible to the caller).
409 ConflictIdempotency key replay with a mismatched body, or a state-conflict on the target resource.
500 Internal Server ErrorSomething went wrong on our end — retry, and contact support with the x-request-id if it persists.