Skip to main content

Authentication

Authentication uses API keys with Bearer auth.

Authorization: Bearer <API_KEY>

API Key Constraints

API keys are issued with an access type and linked to:

One or more companies, or one or more agencies
Scope permissions
Optional IP allowlist
Optional expiry date

Company-scoped keys can access data for the companies attached to the key.

Agency-scoped keys are limited to the agencies attached to the key and only to data for companies that are connected to those agencies.

Keys are stored hashed in the database and can be revoked at any time.

Rejection Conditions

Requests are rejected when the key is:

Missing
Invalid
Revoked
Expired
Not valid for the current environment
Not allowlisted by IP

Header
API Key Constraints
Rejection Conditions