Skip to main content

Staging

API basehttps://api.staging.blackbird.xyz/flynet/v1
OAuth basehttps://api.staging.blackbird.xyz/oauth
Consent hosthttps://passport.staging.flynet.org (reached via redirect from /oauth/authorize)
JWT issuer (iss)https://api-staging.blackbird.xyz

Production

API basehttps://api.blackbird.xyz/flynet/v1
OAuth basehttps://api.blackbird.xyz/oauth
JWT issuer (iss)https://api.blackbird.xyz
Chef’s warning - Production access is gated by partner approval. Do not hard-code production URLs in open-source samples or public demos until your integration is approved.
Tasting note - The JWT iss claim on staging uses a hyphen (api-staging), while the API hostname uses a dot (api.staging). Both DNS-resolve. The hyphen form is the auth tenant, the dot form is the API gateway. If you verify JWT signatures or check iss, expect the hyphen form on staging.
Tasting note - The OAuth flow starts at the OAuth base (/oauth/authorize) but 302-redirects the browser to the consent host passport.staging.flynet.org for the member to sign in and approve. That’s the same auth-tenant-vs-gateway split you see in the iss claim. The authorize request must carry PKCE parameters (code_challenge + code_challenge_method=S256); see OAuth.

Two credential sets

When your app is approved, Blackbird sends two complete credential sets: one for staging and one for production. Each set has its own client_id, client_secret, registered redirect URI, API key, and if applicable, flynet_merchant_id.
StagingProduction
Use forLocal dev, integration testingLive traffic
API baseapi.staging.blackbird.xyzapi.blackbird.xyz
CredentialsIssued at approvalIssued at production sign-off
The API key prefix you receive (bb_test_… or bb_live_…) is a labeling hint; the actual environment binding is server-side via the DeveloperApp that minted the key. Use the key you received against the environment you were provisioned for. Don’t try to swap keys across environments; they’re issued separately and authenticate against their own surface.