Authentication
The Billoget API uses API Keys for authentication. This guide will walk you through how authentication works and how to use it in your applications.
๐ Authentication Methodโ
API Key Authenticationโ
All API requests must include an API key in the Authorization header using the Bearer token format:
Authorization: Bearer bk_live_1234567890abcdef...
No Session Managementโ
Unlike traditional web applications, the API is stateless. Each request must include the API key - there's no session management or cookie handling required.
๐ API Key Formatโ
API keys follow a specific format to ensure security and easy identification:
bk_live_1234567890abcdef1234567890abcdef
Format breakdown:
bk_- Billoget prefixlive_- Environment indicator (live/test)1234567890abcdef...- Random secure token
๐ฏ Scopes and Permissionsโ
Each API key has specific scopes that determine what actions it can perform:
Available Scopesโ
| Scope | Description | Endpoints |
|---|---|---|
READ_BUDGETS | Read budget data | GET /api/public/budgets |
WRITE_BUDGETS | Create/update budgets | POST/PUT/DELETE /api/public/budgets |
READ_CUSTOMERS | Read customer data | GET /api/public/customers |
WRITE_CUSTOMERS | Create/update customers | POST/PUT/DELETE /api/public/customers |
READ_PRODUCTS | Read product data | GET /api/public/products |
WRITE_PRODUCTS | Create/update products | POST/PUT/DELETE /api/public/products |
WEBHOOKS | Receive webhooks | POST /api/public/webhooks/test |
Scope Validationโ
When you make a request, the API checks if your API key has the required scope:
{
"error": "insufficient_scope",
"message": "API key does not have required scope: WRITE_BUDGETS"
}
๐ ๏ธ Making Authenticated Requestsโ
Basic Request Structureโ
curl -X GET "https://api.billoget.com/v1/api/public/budgets" \
-H "Authorization: Bearer bk_live_1234567890abcdef" \
-H "Content-Type: application/json"
JavaScript Exampleโ
const apiKey = "bk_live_1234567890abcdef";
const baseUrl = "https://api.billoget.com/v1";
const headers = {
Authorization: `Bearer ${apiKey}`,
"Content-Type": "application/json",
};
// GET request
const response = await fetch(`${baseUrl}/api/public/budgets`, {
method: "GET",
headers: headers,
});
const data = await response.json();
Python Exampleโ
import requests
api_key = 'bk_live_1234567890abcdef'
base_url = 'https://api.billoget.com/v1'
headers = {
'Authorization': f'Bearer {api_key}',
'Content-Type': 'application/json'
}
# GET request
response = requests.get(f'{base_url}/api/public/budgets', headers=headers)
data = response.json()
PHP Exampleโ
<?php
$apiKey = 'bk_live_1234567890abcdef';
$baseUrl = 'https://api.billoget.com/v1';
$headers = [
'Authorization: Bearer ' . $apiKey,
'Content-Type: application/json'
];
// GET request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $baseUrl . '/api/public/budgets');
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$data = json_decode($response, true);
curl_close($ch);
?>
๐ Security Best Practicesโ
1. Keep API Keys Secretโ
- Never expose API keys in client-side code
- Store keys in environment variables or secure configuration
- Use different keys for different environments
2. Use HTTPS Onlyโ
- All API requests must use HTTPS
- Never send API keys over HTTP
3. Rotate Keys Regularlyโ
- Regenerate API keys periodically
- Have a key rotation strategy in place
- Monitor key usage for unusual activity
4. Implement IP Whitelistingโ
- Restrict API key usage to specific IP addresses
- Use this feature for production environments
5. Monitor Usageโ
- Track API key usage regularly
- Set up alerts for unusual activity
- Review access logs periodically
โ Common Authentication Errorsโ
401 Unauthorizedโ
{
"error": "unauthorized",
"message": "Invalid or missing API key"
}
Causes:
- Missing
Authorizationheader - Invalid API key format
- Expired or revoked API key
403 Forbiddenโ
{
"error": "insufficient_scope",
"message": "API key does not have required scope: WRITE_BUDGETS"
}
Causes:
- API key doesn't have required scope
- IP address not whitelisted
- API key suspended
429 Too Many Requestsโ
{
"error": "rate_limit_exceeded",
"message": "Rate limit exceeded. Try again in 3600 seconds"
}
Causes:
- Exceeded rate limit for the API key
- Too many requests in short time period
๐งช Testing Authenticationโ
Test API Key Validityโ
curl -X GET "https://api.billoget.com/v1/api/public/budgets?limit=1" \
-H "Authorization: Bearer bk_live_1234567890abcdef" \
-H "Content-Type: application/json"
Expected Responseโ
{
"data": [],
"pagination": {
"page": 1,
"limit": 1,
"total": 0,
"hasMore": false
}
}
๐ Environment-Specific Keysโ
Development vs Productionโ
- Use
bk_test_prefixed keys for development - Use
bk_live_prefixed keys for production - Never use production keys in development
Key Managementโ
// Environment-specific configuration
const config = {
development: {
apiKey: "bk_test_1234567890abcdef",
baseUrl: "https://api.billoget.com/v1",
},
production: {
apiKey: "bk_live_1234567890abcdef",
baseUrl: "https://api.billoget.com/v1",
},
};
const env = process.env.NODE_ENV || "development";
const apiConfig = config[env];
๐ Next Stepsโ
Now that you understand authentication, let's learn about:
- API Keys - How to create and manage API keys
- Rate Limiting - Understanding rate limits
- Error Handling - Handling API errors gracefully
๐ Additional Resourcesโ
- API Keys Management - Create and manage your API keys
- Postman Collection - Test authentication with Postman
Ready to create your first API key? Let's go to API Keys! ๐