Authentication
Secure your API requests with API keys
The EntityEngine API uses API keys to authenticate requests. You can create and manage API keys from your account settings. Each key can be configured with specific scopes to limit what actions it can perform.
Keep your API keys secure
Your API keys carry many privileges. Do not share them in publicly accessible areas such as GitHub, client-side code, or public repositories.
Creating API Keys
- Log in to your EntityEngine account
- Navigate to Profile → API Keys
- Click Create API Key
- Give your key a descriptive name (e.g., "Production", "Development")
- Select the scopes your application needs
- Click Create Key
- Important: Copy your API key immediately. It will only be shown once!
API keys are prefixed with sk_live_ to help you identify them in your code.
Using API Keys
Include your API key in the Authorization header of every request:
Authorization: Bearer sk_live_your_api_key_hereExample Request
curl -X GET "https://app.entityengine.com/api/v1/entities" \
-H "Authorization: Bearer sk_live_abc123def456"JavaScript Example
const response = await fetch('https://app.entityengine.com/api/v1/entities', {
headers: {
'Authorization': 'Bearer sk_live_abc123def456',
'Content-Type': 'application/json',
},
});
const data = await response.json();API Scopes
Scopes control what actions an API key can perform. Always use the minimum scopes necessary for your application.
| Scope | Description |
|---|---|
entities:read | View entities, jurisdictions, products, and requirements |
entities:write | Create and update entities |
documents:read | View and download documents |
documents:write | Upload documents |
persons:read | View directors, shareholders, and UBOs |
persons:write | Add and update persons |
webhooks:read | View webhook endpoints |
webhooks:write | Manage webhook endpoints |
Rate Limiting
API requests are rate limited to ensure fair usage. The default limit is 60 requests per minute per API key.
Rate Limit Headers
Every response includes headers to help you track your rate limit status:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed per window |
X-RateLimit-Remaining | Requests remaining in current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
Handling Rate Limits
When you exceed the rate limit, you'll receive a 429 Too Many Requests response:
{
"success": false,
"error": {
"code": "RATE_LIMIT_EXCEEDED",
"message": "Rate limit exceeded. Please retry after 45 seconds."
}
}Best Practice
Implement exponential backoff when you receive a 429 response. Check theX-RateLimit-Resetheader to know when you can retry.
Authentication Errors
UNAUTHORIZEDThe API key is missing, invalid, or has been revoked.
FORBIDDENThe API key doesn't have the required scope for this action.
RATE_LIMIT_EXCEEDEDToo many requests. Wait and retry after the rate limit window resets.