Developers

Authentication model

Requests require authenticated session context or a managed API key, plus tenant authorization. API handlers apply zero-trust checks per request and return safe, structured envelopes.

API keys

API keys are generated by signed-in users through the API and are tenant-scoped by design. The plaintext key is shown only once at creation, stored hashed at rest, and can be revoked at any time.

Keys are scope-restricted and evaluated per endpoint. High-impact ingestion management flows remain session-only and are not accessible through API keys.

Authorization: Bearer crp.<lookup>.<secret>

Operational expectation

Production API traffic should be served over encrypted transport, with short-lived session handling, scoped authorization, rate-limited auth attempts, and explicit audit capture for privileged operations.

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA manualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure