Key concepts

Authorization

Qualy authenticates your API requests using your account’s API keys. If a request doesn’t include a valid key, Qualy returns an Unauthorized error.

Authenticating requests

Qualy uses the Authorization header to authenticate your API call. You will need both the API key and Tenant ID to successfully authenticate an API call.

What you will need

Requests to Qualy requires at minimum two headers, one for your API Key, and one for your Teanant ID. While in very few cases the API key may not be required, Tenant ID is always required

A valid API key

To generate and retrieve the API keys for your account follow this guide.

Your Tenant ID

To retrieve the Tenant ID follow this guide.

Example of an authenticated request:

const makeRequest = async () => {
  const requestConfig = {
    method: 'GET',
    headers: {
      'X-TENANT-ID': 'eu1-unique-tenant-id-here',
      'Authorization': 'ApiKey pk_prod_api-key-here'
    },
  };

  try {
    const response = await fetch('https://api.qualyhq.com/v1/users/user', requestConfig);

    if (response.ok) {
      const data = await response.json();

      console.log(data);
    } else {
      throw new Error(`Request failed with status: ${response.status}`);
    }
  } catch (error) {
    console.error(error);
  }
};

makeRequest();

Requests without Tenant ID or API Key

Requests without a valid X-TENANT-ID header or without a valid API key in the Authorization header will throw an error.

You can also use the header x-tenant-id (in lowercase).

Types of users

When interacting with Qualy's API, different user types have specific permissions and access levels. Understanding these user types is crucial for proper authentication and utilization of the available endpoints.

User

As a standard user, you have unrestricted access to all available API endpoints. This user type is used to all users of the tenant, and have the least amount of restrictions, but are still bound by roles/permissions.

Contact

Contacts logging in through the contact portal will be designated as such. While they enjoy access to the API, certain endpoints may be limited or scoped to ensure security and relevance to the contact's data.

Partner

Partners, similar to contacts, may experience limitations on certain endpoints or functionalities. These restrictions aim to tailor the API experience to the specific needs of Qualy's partners.

API Key

API Keys provide programmatic access to Qualy's API. While most endpoints are accessible, some administrative actions, like generating new API keys, may be restricted. This user type is suitable for automated processes and system-to-system integrations.

Understanding the nuances of each user type ensures that authentication aligns with your intended use case and helps maintain a secure and efficient interaction with Qualy's API.

Roles

We use roles to control user permissions. Each role defines specific actions that users can perform. API keys have super admin access by default.

Previous
Multi-tenancy
Next
Querying data