Authentication
How to create an API key
API keys are managed directly in XDENT under My Account → API Management.
Only an administrator account can manage API keys.
- Go to the API Keys tab.
- Click the + Add API Key button.
- Store the key securely immediately – it is shown only once.
A company can have multiple keys for different applications interacting with the API.
A key can be deactivated or deleted without affecting other keys.
Warning
Never store the API key directly in application source code.
Use environment variables or a secret manager.
How to use the key
Every protected call must include the X-Api-Key header:
GET /api/v1/Identity
X-Api-Key: YOUR_API_KEYWithout this header, the API returns error 400.
X-Api-Key value format
Send the key in KeyId.Secret format.
KeyId= public key identifierSecret= secret part of the key
If you send only KeyId without Secret, the API returns 401 with SECRET_REQUIRED.
IP authorization
An optional feature that restricts traffic to allowed IP addresses only.
Configured in XDENT under API Management by enabling the IP Authorization toggle and adding allowed IPv4 or IPv6 addresses.
What this means for integration:
- If IP authorization is enabled, calls from an unauthorized IP address will fail with error
403. - We recommend adding only IP addresses of your production environment (servers, NAT gateway).
Warning
Adding or removing an IP address takes effect within 5 minutes.
Authorization does not apply until at least one IP address has been added.
Error states
| HTTP status | Error code | Description |
|---|---|---|
400 | MISSING_API_KEY | The X-Api-Key header is missing |
401 | INVALID_API_KEY | The key does not exist or is invalid |
401 | SECRET_REQUIRED | The secret part is missing (expected KeyId.Secret) |
401 | INVALID_SECRET | The secret part is invalid |
401 | COMPANY_API_DISABLED | API access is disabled for your company |
401 | API_KEY_DISABLED | This specific key is disabled |
403 | IP_NOT_AUTHORIZED | Access blocked due to IP authorization |
The error response always has the structure:
{
"Code": "INVALID_API_KEY",
"Message": "Error description"
}Security recommendations
- Do not store the key in client-side code.
- In production, use environment variables or a secret manager.
- Use IP authorization if you have fixed IP addresses from which the API will be used.