API Authentication and Error Handling
Base URL
Your production base URL is provided during onboarding.
Examples below use:
https://YOUR_API_HOST/api/v1
Supplier authentication
Suppliers authenticate lead-submission requests with an issued API key in the x-api-key header.
POST /api/v1/ingest
x-api-key: YOUR_SUPPLIER_API_KEY
Content-Type: application/json
Store supplier API keys server-side only. Never expose them in browser code, public repositories, screenshots, or support tickets.
Buyer authentication
Buyers can exchange a buyer API key for a short-lived bearer token.
POST /api/v1/auth/buyer
Content-Type: application/json
{
"api_key": "YOUR_BUYER_API_KEY"
}
Example response:
{
"token": "YOUR_ACCESS_TOKEN",
"partnerKey": "your_partner_key",
"expiresIn": "24h"
}
Use the token on buyer API requests:
Authorization: Bearer YOUR_ACCESS_TOKEN
Some buyer portal users may also authenticate with email and password if their account has been provisioned.
Common responses
Status | Meaning | Typical action |
|---|---|---|
400 | Required fields are missing or invalid. | Fix the request body or query parameters. |
401 | API key or token is missing, invalid, or expired. | Check credentials and token expiry. |
403 | Credential is valid but not allowed for this resource. | Confirm partner ownership or feature access. |
404 | Resource not found or feature is disabled. | Confirm ID, account access, or beta enablement. |
409 | Duplicate action or already-returned resource. | Inspect existing status before retrying. |
422 | Business rule validation failed. | Review return policy, proof requirements, or reason codes. |
429 | Too many requests. | Back off and retry later. |
500 | Server-side issue. | Retry later or contact support if persistent. |
Security reminders
Use HTTPS for all API traffic.
Store API keys in server-side secrets management.
Rotate credentials immediately if exposure is suspected.
Do not paste full credentials into support tickets.
Do not share lead exports publicly.