Authentication

Bearer Token (Recommended)
Include your API key in the Authorization header:

API Key in Header
Alternative method using X-API-Key header:

Read Permissions
- tenders:read - Access tender listings
- companies:read - View company profile
- applications:read - View application status

Write Permissions
- applications:write - Submit applications
- companies:write - Update company profile
- documents:write - Upload documents

Admin Permissions
- users:read - View user information (Enterprise only)
- analytics:read - Access analytics (Enterprise only)

Professional Plan
- 1,000 requests per hour
- 10,000 requests per day

Enterprise Plan
- 5,000 requests per hour
- 50,000 requests per day

Rate limit headers are included in responses:

401 Unauthorized
Invalid or missing API key:

403 Forbidden
Insufficient permissions:

429 Too Many Requests
Rate limit exceeded:

Using curl

Using JavaScript (fetch)

Using Python (requests)

Verifying Webhook Signatures

1. Secure Storage
- Store API keys in environment variables
- Use secret management services (AWS Secrets Manager, etc.)
- Never commit keys to version control

2. Error Handling
- Implement exponential backoff for rate limits
- Cache responses where appropriate
- Handle authentication errors gracefully

3. Monitoring
- Track API usage and rate limits
- Monitor for unusual activity
- Set up alerts for authentication failures

Common Issues

"Invalid API key"
- Verify the key is copied correctly
- Check for extra spaces or characters
- Ensure the key is active

"Rate limit exceeded"
- Implement request throttling
- Use caching to reduce requests
- Consider upgrading your plan

"Insufficient permissions"
- Check your subscription plan
- Verify key permissions in dashboard
- Contact support for additional access

Testing Your API Key
Use our test endpoint to verify your key: