Allocora
Docs / API Keys

Reference

Use API keys for authenticated Allocora API access

API keys are issued inside an Allocora workspace and should be scoped to the automation that needs access.

Start Free Try Sample Data

Details

What to know

Key handling

Treat API keys as secrets. Store them in your server-side environment or secret manager, never in a browser bundle.

  • Create keys from the workspace integrations area.
  • Use the bearer token only from trusted server-side jobs.
  • Rotate keys when access changes or a secret is exposed.

Reference Tables

Fields and checks

Common API responses

Use these response states when testing API access from an automation.

Response Likely meaning What to do
200 OK The key was accepted and the endpoint responded. Continue testing with non-production data first.
401 Unauthorized The bearer token is missing, invalid, expired, or malformed. Rotate or re-copy the key and send it only from the server side.
403 Forbidden The key is valid but does not have access to the requested workspace or action. Create a key with the right workspace scope or use the correct workspace automation.
422 Unprocessable Content The request payload failed validation. Compare the payload with the endpoint example and fix missing or invalid fields.

Examples

Request and response examples

Health check request

curl -H "Authorization: Bearer <ALLOCORA_API_KEY>" \
  https://www.allocora.com/api/allocora/ping

Example response

{
  "status": "ok",
  "service": "allocora"
}

Feedback

Was this page helpful?

Send a note if a step is unclear, missing, or out of date.

Email Support

Apply this in a workspace

Start free, use sample data, then replace examples with your own revenue rows when the workflow is clear.

Start Free Browse Docs