Overview
Request Network API supports two authentication modes:x-api-keyfor server-side integrationsx-client-idfor browser/client integrations (withOriginheader)
POST /v1/webhook with the x-client-id header).
Choose the Right Method
| Method | Best for | Header(s) |
|---|---|---|
| API Key | Backend services, cron jobs, trusted server environments | x-api-key |
| Client ID | Browser/front-end calls where client auth is required | x-client-id (+ Origin) |
API Key Authentication
Use API keys for backend calls.Example
cURL
Client ID Authentication
Use Client ID when your integration needs browser-side authentication flow.Example
cURL
For browser-based requests,
Origin is part of the request context and is required for Client ID auth.Header Reference
x-api-key: API key used for server-side authx-client-id: Client identifier used for client-side authOrigin: required with Client ID flows in browser contexts
Rate limits
Request Network enforces rate limits onx-client-id requests to keep the API responsive for every integrator. By default, authenticated x-client-id integrators get an SLA of 300 requests per minute (5 requests per second) in production.
Several tiers exist. Most integrators run on Default; contact us to move to a higher-throughput tier if you need one:
| Tier | Rate |
|---|---|
| Basic | 2 req/sec (120 req/min) |
| Default (standard SLA) | 5 req/sec (300 req/min) |
| Premium | 10 req/sec (600 req/min) |
| High-volume | 20 req/sec (1,200 req/min) |
Default is the standard SLA applied to authenticated integrators unless you have been assigned another tier.
Rate limits are scoped per client ID and IP address, so usage from one client ID on one IP doesnβt affect your limit on another IP. If you sustain a breach of your limit, requests from that client ID and IP are temporarily blocked (5 minutes by default) before being allowed again. Some endpoints, such as client ID management, use a more relaxed limit than the general default shown above.
The production default is 5 req/sec. Non-production environments (development and test) run at a higher limit to support testing. Contact us if your integration needs a higher tier than the production default.
Common Authentication Errors
401 Unauthorized
- Missing auth header
- Invalid/expired API key or client ID
403 Forbidden
- Credentials are valid but not allowed for the requested operation
- Client ID is revoked or restricted
429 Too Many Requests
- Request rate exceeded for your credentials. See Rate limits.
Security Guidance
- Keep API keys server-side and out of frontend bundles
- Store credentials in environment variables or secret managers
- Rotate compromised credentials immediately
- Verify webhook signatures independently (webhook signing uses a separate secret)
Related Pages
Dashboard
Create credentials and manage webhook configuration.
Webhooks
Signature verification and delivery behavior.
OpenAPI Reference
Full endpoint authentication requirements.