API Authentication and Error Handling

Base URL

Your production base URL is provided during onboarding.

Examples below use:

https://YOUR_API_HOST/api/v1

Supplier authentication

Suppliers authenticate lead-submission requests with an issued API key in the x-api-key header.

POST /api/v1/ingest
x-api-key: YOUR_SUPPLIER_API_KEY
Content-Type: application/json

Store supplier API keys server-side only. Never expose them in browser code, public repositories, screenshots, or support tickets.

Buyer authentication

Buyers can exchange a buyer API key for a short-lived bearer token.

POST /api/v1/auth/buyer
Content-Type: application/json

{
"api_key": "YOUR_BUYER_API_KEY"
}

Example response:

{
"token": "YOUR_ACCESS_TOKEN",
"partnerKey": "your_partner_key",
"expiresIn": "24h"
}

Use the token on buyer API requests:

Authorization: Bearer YOUR_ACCESS_TOKEN

Some buyer portal users may also authenticate with email and password if their account has been provisioned.

Common responses

Status

Meaning

Typical action

400

Required fields are missing or invalid.

Fix the request body or query parameters.

401

API key or token is missing, invalid, or expired.

Check credentials and token expiry.

403

Credential is valid but not allowed for this resource.

Confirm partner ownership or feature access.

404

Resource not found or feature is disabled.

Confirm ID, account access, or beta enablement.

409

Duplicate action or already-returned resource.

Inspect existing status before retrying.

422

Business rule validation failed.

Review return policy, proof requirements, or reason codes.

429

Too many requests.

Back off and retry later.

500

Server-side issue.

Retry later or contact support if persistent.

Security reminders

  • Use HTTPS for all API traffic.

  • Store API keys in server-side secrets management.

  • Rotate credentials immediately if exposure is suspected.

  • Do not paste full credentials into support tickets.

  • Do not share lead exports publicly.


Was this article helpful?