Apocor uses an OAuth client-credentials flow. You exchange an API key for a short-lived bearer token, then send that token on every request. Apocor keys are the only credential you manage — all upstream providers are handled for you.
The flow
1. Get your API key
Your Apocor contact provisions an API key from the dashboard. The secret is returned only once — store it in a secret manager.
| Field | Use |
|---|
prefix | The client_id you send to the token endpoint |
secret | The client_secret — shown once, never again |
2. Get an access token
curl -s -X POST 'https://sandbox.apocor.ai/v1/oauth/token' \
-H 'Content-Type: application/json' \
-d '{ "client_id": "apocor_1a2b3c4d5e6f7g8h", "client_secret": "apocor_sk_live_..." }'
Tokens are valid for 1 hour (expires_in: 3600). Request a new one when it expires — there is no refresh token in the client-credentials flow.
3. Call authenticated endpoints
Authorization: Bearer YOUR_ACCESS_TOKEN
Content-Type: application/json
Roles & access
Every key and user carries a role that scopes what it can see and do.
| Role | Scope |
|---|
APOCOR_ADMIN | Apocor staff — full platform access |
RESELLER_ADMIN | Manages its own org and child tenants |
ORG_ADMIN | Full access within a single tenant org |
PROGRAM_MANAGER | Manage programs, cards, and applicants |
DEVELOPER | Machine access for integrations |
SUPPORT / AUDITOR | Read-oriented operational access |
Requests are always scoped to the caller’s organization (and, for resellers, its children). You can only ever read or write resources your token is entitled to.
Errors
A missing or invalid credential returns 401 with a stable code:
{ "error": { "code": "INVALID_CLIENT", "message": "Invalid client credentials" } }
See Error codes for the full list.