Skip to main content

Authentication

Authenticated endpoints use API keys. Send the key in the X-API-Key request header.

X-API-Key: <API_KEY>

Bearer token format is also accepted:

Authorization: Bearer <API_KEY>

API keys start with rp_.

API Key Constraints

API keys are created inside RemyPass and linked to:

A company
Explicit endpoint permissions
Optional expiry date
Per-minute and per-day rate limits

Keys are stored hashed in the database. A key can be deactivated, deleted, or allowed to expire.

Access Requirements

Public API access requires:

A valid active API key
An active company account
Public API access on the company's plan
The permission required by the endpoint

Rejection Conditions

Requests are rejected when the key is:

Missing
Invalid
In the wrong format
Inactive
Expired
Missing the permission required by the endpoint
Linked to a company without Public API access

Authentication failures return HTTP 401. Permission or plan failures return HTTP 403.

Header
API Key Constraints
Access Requirements
Rejection Conditions