Developer & APIPartner api
Authentication
Bearer-key authentication, entitlement-aware limits, and secure key handling for the Partner API.
Entwicklerdocs2 Min. LesezeitGeprüft 16. Apr. 2026
Authentication
The Partner API uses bearer credentials issued to approved organisations. Keys must be stored and used server-side only.
Key families
| Key family | Prefix | Use case |
|---|---|---|
| Sandbox | ntp_test_* | Development, QA, and integration testing |
| Production | ntp_live_* | Live commercial traffic |
Request format
Send the key in the Authorization header:
GET /api/v1/rfq HTTP/1.1
Host: api.nowtoprint.com
Authorization: Bearer ntp_live_xxxxxxxxxxxxxxxxxxxx
Accept: application/jsonOperational expectations
| Topic | Guidance |
|---|---|
| Scope model | Key capabilities and limits depend on entitlement and rollout posture |
| Rotation | Rotate keys on a regular cadence and immediately after exposure |
| Idempotency | Use Idempotency-Key on metered reads or writes that may be retried; X-Idempotency-Key remains accepted for older clients |
| Logging | Store request IDs and redact credentials from logs |
| Webhooks | Treat webhook secrets with the same care as API keys |
Common auth failures
| Status | Meaning | Typical fix |
|---|---|---|
401 | Missing or invalid credential | Verify bearer header format and the correct key family |
403 | Scope or entitlement mismatch | Request the missing capability or broader access |
429 | Limit or rollout ceiling reached | Back off and trust Retry-After plus response headers |
Security checklist
- keep keys in server-side secret storage
- never ship keys into client-side JavaScript
- do not commit credentials or example live values to source control
- redact auth headers in logs, traces, and error payloads
- use separate sandbox and production credentials
Related docs
War dieser Artikel hilfreich?
Verwandte Artikel
Edit on GitHub
Zuletzt aktualisiert