TL;DR

Production Base URL

https://api.polar.sh/v1

Sandbox Base URL

https://sandbox-api.polar.sh/v1

Auth (Organization)

Use an Organization Access Token (OAT) in the Authorization: Bearer header

Auth (Customer Portal)

Use a Customer Access Token created via /v1/customer-sessions/

Base URLs

EnvironmentBase URLPurpose
Productionhttps://api.polar.sh/v1Real customers & live payments
Sandboxhttps://sandbox-api.polar.sh/v1Safe testing & integration work
The sandbox environment is fully isolated—data, users, tokens, and organizations created there do not affect production. Create separate tokens in each environment.
Read more: Sandbox Environment

Authentication

Organization Access Tokens (OAT)

Use an OAT to act on behalf of your organization (manage products, prices, checkouts, orders, subscriptions, benefits, etc.). 
Authorization: Bearer polar_oat_xxxxxxxxxxxxxxxxx
Create OATs in your organization settings. See: Organization Access Tokens
Never expose an OAT in client-side code, public repos, or logs. If leaked, it will be revoked automatically by our secret scanning integrations.

Customer Access Tokens

Do not use OATs in the browser. For customer-facing flows, generate a Customer Session server-side, then use the returned customer access token with the Customer Portal API to let a signed-in customer view their own orders, subscriptions, and benefits.

Core API vs Customer Portal API

AspectCore APICustomer Portal API
AudienceYour server / backendOne of your customer
Auth TypeOrganization Access Token (OAT)Customer Access Token
ScopeFull org resources (products, orders, subscriptions, benefits, checkout)Only the authenticated customer’s data
Typical UseAdmin dashboards, internal tools, automation, provisioningBuilding a custom customer portal or gated app
Token CreationVia dashboard (manual)Via /v1/customer-sessions/ (server-side)
Sensitive OperationsYes (create/update products, issue refunds, etc.)No (read/update only what the customer owns)
The Customer Portal API is a restricted surface designed for safe exposure in user-facing contexts (after exchanging a session). It cannot perform privileged org-level mutations like creating products or issuing refunds.

Quick Examples

curl https://api.polar.sh/v1/products/ \
  -H "Authorization: Bearer $POLAR_OAT" \
  -H "Accept: application/json"

Using SDKs

All official SDKs accept a server parameter for sandbox usage: 
import { Polar } from "@polar-sh/sdk";

const polar = new Polar({
accessToken: process.env.POLAR_ACCESS_TOKEN!,
server: "sandbox", // omit or use 'production' for live
});

Rate Limits

Polar API has rate limits to ensure fair usage and maintain performance. The limits are as follows:
  • 300 requests per minute per organization/customer or OAuth2 Client.
  • 3 requests per second for unauthenticated license key validation, activation, and deactivation endpoints.
If you exceed the rate limit, you will receive a 429 Too Many Requests response. The response will include a Retry-After header indicating how long you should wait before making another request.
Organizations requiring higher rate limits for production workloads may contact our support team to discuss elevated limits.