Skip to main content
Apocor uses an OAuth client-credentials flow. You exchange an API key for a short-lived bearer token, then send that token on every request. Apocor keys are the only credential you manage — all upstream providers are handled for you.

The flow

1. Get your API key

Your Apocor contact provisions an API key from the dashboard. The secret is returned only once — store it in a secret manager.
FieldUse
prefixThe client_id you send to the token endpoint
secretThe client_secret — shown once, never again

2. Get an access token

curl -s -X POST 'https://sandbox.apocor.ai/v1/oauth/token' \
  -H 'Content-Type: application/json' \
  -d '{ "client_id": "apocor_1a2b3c4d5e6f7g8h", "client_secret": "apocor_sk_live_..." }'
Tokens are valid for 1 hour (expires_in: 3600). Request a new one when it expires — there is no refresh token in the client-credentials flow.

3. Call authenticated endpoints

Authorization: Bearer YOUR_ACCESS_TOKEN
Content-Type: application/json

Roles & access

Every key and user carries a role that scopes what it can see and do.
RoleScope
APOCOR_ADMINApocor staff — full platform access
RESELLER_ADMINManages its own org and child tenants
ORG_ADMINFull access within a single tenant org
PROGRAM_MANAGERManage programs, cards, and applicants
DEVELOPERMachine access for integrations
SUPPORT / AUDITORRead-oriented operational access
Requests are always scoped to the caller’s organization (and, for resellers, its children). You can only ever read or write resources your token is entitled to.

Errors

A missing or invalid credential returns 401 with a stable code:
{ "error": { "code": "INVALID_CLIENT", "message": "Invalid client credentials" } }
See Error codes for the full list.