Skip to main content

Overview

Request Network API supports two authentication modes:
  • x-api-key for server-side integrations
  • x-client-id for browser/client integrations (with Origin header)
Use this page as the canonical auth reference. Client IDs are managed in the Request Dashboard. Webhooks can be managed no-code from the Dashboard or programmatically via the Auth API (POST /v1/webhook with the x-client-id header).

Choose the Right Method

MethodBest forHeader(s)
API KeyBackend services, cron jobs, trusted server environmentsx-api-key
Client IDBrowser/front-end calls where client auth is requiredx-client-id (+ Origin)

API Key Authentication

Use API keys for backend calls.

Example

cURL
curl -X GET 'https://api.request.network/v2/request/{requestId}' \
  -H 'x-api-key: YOUR_API_KEY'

Client ID Authentication

Use Client ID when your integration needs browser-side authentication flow.

Example

cURL
curl -X GET 'https://api.request.network/v2/request/{requestId}' \
  -H 'x-client-id: YOUR_CLIENT_ID' \
  -H 'Origin: https://your-app.example'
For browser-based requests, Origin is part of the request context and is required for Client ID auth.

Header Reference

  • x-api-key: API key used for server-side auth
  • x-client-id: Client identifier used for client-side auth
  • Origin: required with Client ID flows in browser contexts

Rate limits

Request Network enforces rate limits on x-client-id requests to keep the API responsive for every integrator. By default, authenticated x-client-id integrators get an SLA of 300 requests per minute (5 requests per second) in production. Several tiers exist. Most integrators run on Default; contact us to move to a higher-throughput tier if you need one:
TierRate
Basic2 req/sec (120 req/min)
Default (standard SLA)5 req/sec (300 req/min)
Premium10 req/sec (600 req/min)
High-volume20 req/sec (1,200 req/min)
Tiers are listed from lowest to highest throughput; Default is the standard SLA applied to authenticated integrators unless you have been assigned another tier. Rate limits are scoped per client ID and IP address, so usage from one client ID on one IP doesn’t affect your limit on another IP. If you sustain a breach of your limit, requests from that client ID and IP are temporarily blocked (5 minutes by default) before being allowed again. Some endpoints, such as client ID management, use a more relaxed limit than the general default shown above.
The production default is 5 req/sec. Non-production environments (development and test) run at a higher limit to support testing. Contact us if your integration needs a higher tier than the production default.

Common Authentication Errors

401 Unauthorized

  • Missing auth header
  • Invalid/expired API key or client ID

403 Forbidden

  • Credentials are valid but not allowed for the requested operation
  • Client ID is revoked or restricted

429 Too Many Requests

  • Request rate exceeded for your credentials. See Rate limits.

Security Guidance

  • Keep API keys server-side and out of frontend bundles
  • Store credentials in environment variables or secret managers
  • Rotate compromised credentials immediately
  • Verify webhook signatures independently (webhook signing uses a separate secret)

Dashboard

Create credentials and manage webhook configuration.

Webhooks

Signature verification and delivery behavior.

OpenAPI Reference

Full endpoint authentication requirements.