The Defacto API utilises API keys to authenticate requests.
In particular, authentication to the API is performed via HTTP Bearer Authentication (also called token authentication).
So, to perform an authenticated API call, you must set the
Authorization header of your HTTP request to
In this page, we guide through getting an Defacto API key and making your first authentication request.
Getting an API Key
The Defacto web application must be used to get an API key (sandbox here or production here). If this is your first time here, open the sandbox link.
Sandbox and production use distinct API keys
We generate different API keys and use two distinct accounts for the sandbox and production. So, be careful to use your API key with the right environment.
The below screenshot shows how to access the Settings section where you can get an API key.
On the settings page, you will be able to get your first API key by clicking the Create API Key button (see example below).
Click the three dots on the right and Copy token. Then, come back to this guide.
API Key management on the Defacto Web Application
From the web application you can:
- View and manage your API keys in the Settings menu.
- Create an API key by using the
Create API Keybutton.
- Revoke API keys in the actions column next to the API key you wish to revoke.
Your first authenticated API call
The API key that you just got should look like this:
Open the /hello page in a new tab, write
Bearer in the authentication header section, followed by a space, and then paste your newly created API key. After that, click the Try it button.
You will see a welcoming message as a response. Congratulations!!! 🥳 You just did your first authenticated API call with the Defacto API.
Using the API key for programmatic API calls
To perform an authenticated API call programmatically, you must set the
Authorization header of your HTTP requests to
Bearer <YOUR_API_KEY>. This is very similar to what we just did from the documentation.
curl --location --request GET 'https://api-sandbox.getdefacto.com/hello' -H 'Authorization: Bearer <API_KEY>'
Bearer authentication should only be used over HTTPS (SSL). API requests without authentication will fail and return a 401 HTTP code.
Now, you should be ready to integrate with our API.
Keep your API keys secure!
API keys carry many privileges, so keep them secure! Do not share your secret API keys in publicly accessible areas.