Authentication¶
Every request to the Compliance API requires two HTTP headers — both issued to your product in the product portal.
| Header | Purpose |
|---|---|
X-Api-Key |
Identifies your product |
X-Api-Secret |
Authenticates the request |
Both values are random 32-byte secrets, base64-encoded — treat both like passwords. Store them in a secret manager, never commit them to source control, and rotate them if they leak.
Example¶
curl https://api.your-platform.example/v1/applicants \
-H "X-Api-Key: $API_KEY" \
-H "X-Api-Secret: $API_SECRET"
Issuing & rotating credentials¶
API keys are issued in the product portal under Developer → API Credentials. From there you can:
- Create a new key/secret pair. The secret is shown to you exactly once on creation — copy it into your secret manager immediately.
- Rotate an existing pair — generates fresh values; the old pair stops working. For zero-downtime rotation, create a second pair, roll your callers over to it, then deactivate the original.
- Deactivate any key — that key stops working immediately on the next request.
What happens with bad credentials¶
| Symptom | Cause |
|---|---|
401 Unauthorized with "X-Api-Key and X-Api-Secret headers are required" |
One or both headers missing. |
401 Unauthorized with "Invalid API credentials" |
Header values don't match an active key pair (deactivated, mistyped, or never issued). |
403 Forbidden |
Credentials are valid but your product doesn't have access to the requested resource (for example, an applicant created under a different product). |
See Error handling for the complete list of status codes the API returns and how your client should react.