Log In / Register

API Keys

An API Key identifies a specific application. The API key is reserved for specific organizations, such as a financial institution’s development team or an application vendor. Each application should use its own API key.

An API Key is required for unauthenticated API calls. This is specified with the apiKey security requirement on API operations. Many calls cannot be made unauthenticated.

Protecting your API key

An API key is like a key to your house. Just as possession of a house key grants any holder access to the house, possession of an API key grants an application access to the APIs. Apiture will enforce API rate limits, and reject requests if the rate limit is exceeded. Rates will be exceeded more quickly if multiple sources are using the same access keys. Requests will also be rejected if they are suspected to be malicious access attempts.

If you believe your API Key has been compromised, log into the developer portal and disable the key. Any client applications which use the revoked key will not work. Contact Apiture to request a new key. Once the new key is received, update the application to use the new API key.

You should keep your company’s API key private and secure. Do not share it with other users, do not store it in version control, and do not note it in documentation.

APIs are only accessed over encrypted https which provides a level of protection for API Keys and Authorization headers passed to the APIs.

Passing the API key on requests

Client applications must include an API key with requests to API operations that do not require user or client credentials. This is done with a request header called API-Key, as defined by the apiKey security definition.

For example, if your API key is

ba9ac78c04f5270f54db975038d442154f70bfd2af8ec956fb9c

add an HTTP request header to each API call that uses apiKey security:

API-Key: ba9ac78c04f5270f54db975038d442154f70bfd2af8ec956fb9c

Header names are not case sensitive.

If a request does not contain an API-Key header or Authorization header when required, the operation fails with a 401 Unauthorized response code.

If an operation requires authorization and passes an invalid API key, the operation fails with a 403 Forbidden response code.