Skip to main content

Authentication

Azotte uses API key-based authentication with tenant context for secure access to all platform services.

Authentication Overview

Every API request requires:

  • API Key: Identifies and authenticates your application
  • Tenant Context: Specifies which tenant's data to access

API Key Types

Development Keys

  • Prefix: pk_dev_ (publishable) or sk_dev_ (secret)
  • Environment: Sandbox/Development
  • Limitations: Test data only, rate limited
  • Best for: Development, testing, integration

Production Keys

  • Prefix: pk_live_ (publishable) or sk_live_ (secret)
  • Environment: Live/Production
  • Capabilities: Full access, higher rate limits
  • Best for: Production applications

Required Headers

GET /api/v1/subscriptions HTTP/1.1
Host: api.azotte.com
x-api-key: sk_dev_1234567890abcdef
x-tn: tenant_abc123
Content-Type: application/json

Header Descriptions

  • x-api-key: Your API key (required)
  • x-tn: Tenant ID for data isolation (required)
  • Content-Type: Always application/json for POST/PUT requests

Authentication Examples

cURL Example

curl -X GET https://api.azotte.com/v1/subscriptions \
  -H "x-api-key: sk_dev_1234567890abcdef" \
  -H "x-tn: tenant_abc123" \
  -H "Content-Type: application/json"

JavaScript/Node.js

const response = await fetch('https://api.azotte.com/v1/subscriptions', {
  method: 'GET',
  headers: {
    'x-api-key': 'sk_dev_1234567890abcdef',
    'x-tn': 'tenant_abc123',
    'Content-Type': 'application/json'
  }
});

Python

import requests

headers = {
    'x-api-key': 'sk_dev_1234567890abcdef',
    'x-tn': 'tenant_abc123',
    'Content-Type': 'application/json'
}

response = requests.get(
    'https://api.azotte.com/v1/subscriptions',
    headers=headers
)

Security Best Practices

Key Management

  • Never expose secret keys in client-side code
  • Use environment variables for key storage
  • Rotate keys regularly (quarterly recommended)
  • Use different keys for different environments

Network Security

  • All API calls must use HTTPS
  • Validate SSL certificates in production
  • Use secure headers for additional protection

Error Handling

{
  "error": {
    "code": "authentication_failed",
    "message": "Invalid API key provided",
    "type": "authentication_error"
  }
}

Next Steps