> ## Documentation Index
> Fetch the complete documentation index at: https://docs.slash.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Getting Started

> Use the Slash API to access your account, transactions, cards and more.

## Welcome

Our API is currently in Beta and is not yet available to the wider public. More functionality will be
added in the near future as we continuously build out our API. If you'd like to request access, offer feedback, or have any inquiries about
the API, don't hesitate to contact us at [support@joinslash.com](mailto:support@joinslash.com).

## Base URL

All requests are made against:

```
https://api.slash.com
```

## Authorization

Slash uses API Keys to authorize requests. If you have beta access to the API, you can create and revoke your API Keys in the dashboard for your organization.

```bash theme={null}
curl --url "https://api.slash.com${PATH}" \
  -H "X-API-Key: ${SLASH_API_KEY}"
```

Keys come in two flavors:

* **Legal-entity-scoped keys** are pinned to a single legal entity. Minted from the dashboard under a specific entity; every request acts on that entity. Use these for server-to-server integrations against one entity.
* **User-scoped keys** are pinned to a user and span every legal entity that user has access to. Use these to act as a specific user across one or more entities.

### `x-legal-entity` header (user-scoped keys)

Every request made with a user-scoped key must include an `x-legal-entity` header naming the legal entity the request is operating on. The one exception is `GET /legal-entity`, which lists the entities the user can access — use it to discover the id you should send.

```bash theme={null}
curl --url "https://api.slash.com/transfers/book-transfer" \
  -H "X-API-Key: ${SLASH_API_KEY}" \
  -H "x-legal-entity: ${LEGAL_ENTITY_ID}" \
  -H "X-Idempotency-Key: $(uuidgen)" \
  -H "content-type: application/json" \
  -d '{"from":"sa_group_...","to":"sub_...","amountCents":1000}'
```

Requests without the header are rejected with `400`. If the authenticated user does not have an active permission role on the supplied entity, the request is rejected with `403`.

## Idempotency

Write endpoints that move money or create resources accept an `X-Idempotency-Key` header. Replaying a request with the same key returns the original result; replaying with the same key but a different body returns `409 Conflict`. Use a fresh UUID per logical operation.

Endpoints that currently require an idempotency key:

* `POST /transfers/book-transfer`
* `POST /transfer/virtual-account`

## Errors

Errors are returned as JSON with a consistent envelope:

```json theme={null}
{
  "success": false,
  "message": "You must be logged in to do that. [4041-2121cyx]",
  "identifier": 4041,
  "rawStatus": 401,
  "displayType": "toast"
}
```

| Field         | Description                                                                                                                                                     |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `message`     | Human-readable explanation, suitable for surfacing to end users. The bracketed `[<identifier>-<requestId>]` suffix uniquely identifies the failure for support. |
| `identifier`  | Stable numeric error code. Pair with `rawStatus` to branch programmatically.                                                                                    |
| `rawStatus`   | HTTP status of the response (mirrors the response status line).                                                                                                 |
| `displayType` | UI hint (`toast`, etc.) used by Slash's own clients; safe to ignore.                                                                                            |
| `success`     | Always `false` on errors.                                                                                                                                       |

Every response — success or failure — also carries an `x-request-id` header. Include it when reporting an issue.

Common statuses:

| Status                      | Meaning                                                                                              |
| --------------------------- | ---------------------------------------------------------------------------------------------------- |
| `400 Bad Request`           | Malformed body, missing required field, or missing `x-legal-entity` on a user-scoped key.            |
| `401 Unauthorized`          | Missing or invalid API key.                                                                          |
| `403 Forbidden`             | Authenticated, but the user/entity lacks permission for the resource.                                |
| `404 Not Found`             | The referenced resource does not exist (or is not visible to the caller).                            |
| `409 Conflict`              | Idempotency key replay with a mismatched body, or a state-conflict on the target resource.           |
| `500 Internal Server Error` | Something went wrong on our end — retry, and contact support with the `x-request-id` if it persists. |