Authentication
All API requests must include your API key in the Authorization header.
Bearer Token Authentication
Include your API key as a Bearer token:
curl -H "Authorization: Bearer rb_live_YOUR_API_KEY" \
https://api.rebased.app/api/v1/external/clientsAPI Key Format
API keys follow this format:
- Live keys:
rb_live_followed by 32+ characters - Test keys:
rb_test_followed by 32+ characters (coming soon)
Example: rb_live_2FouCuDs5nMDQ95UjsZ1zd7o5c-IqftVfpZb9mll8oo
Security Best Practices
- Never expose API keys in client-side code — API keys should only be used server-to-server
- Store keys securely — Use environment variables or a secrets manager
- Rotate keys regularly — Use the Rotate function in Settings → Integrations
- Use minimal scopes — Only request the scopes your integration needs
Error Responses
Missing API Key
{
"detail": "Not authenticated"
}Status: 401 Unauthorized
Invalid API Key
{
"detail": "Invalid API key"
}Status: 401 Unauthorized
Revoked or Expired Key
{
"detail": "API key is revoked"
}Status: 401 Unauthorized
Missing Scope
{
"detail": "Missing required scope: invoices:read"
}Status: 403 Forbidden
Scopes
Each API key has specific scopes that determine which endpoints it can access:
| Scope | Access |
|---|---|
clients:read | Read clients |
clients:write | Create clients |
suppliers:read | Read suppliers |
suppliers:write | Create suppliers |
invoices:read | Read invoices |
invoices:write | Create invoices |
bills:read | Read bills |
bills:write | Create bills |
items:read | Read catalog items |
items:write | Create catalog items |
quotes:read | Read quotes |
accounts:read | Read chart of accounts |
tax_codes:read | Read tax codes |
reports:read | Read financial reports |
bank_transactions:read | Read bank accounts and transactions |
When creating an API key, select only the scopes your integration requires.
Last updated on