Authentication

The Okasie Partner API uses Bearer token authentication. All requests must include a valid API secret.

Getting Your API Secret

Contact Okasie

Email [email protected] with your company details and integration use case

Receive Credentials

You’ll receive your API secret and assigned dealer profile IDs

Store Securely

Store your secret in environment variables or a secrets manager

Making Authenticated Requests

Include your API secret in the Authorization header:

curl -X GET "https://www.okasie.be/api/external/v1/listings" \
  -H "Authorization: Bearer sk_partner_xxxxxxxxxxxxx"

Alternative: X-API-Key Header

You can also use the X-API-Key header:

curl -X GET "https://www.okasie.be/api/external/v1/listings" \
  -H "X-API-Key: sk_partner_xxxxxxxxxxxxx"

Scopes

API secrets are granted specific scopes that control access:

Scope	Description
`read:listings`	Read listings data
`read:locations`	Read dealer location data
`write:listings`	Create, update, and delete listings

By default, new partners receive read:listings and read:locations. Contact support to request write:listings scope.

Access Control

Your API key may be restricted to specific dealer profiles:

Global access: Can access all listings (rare, for aggregators)
Restricted access: Can only access assigned dealer profiles and their children

The response meta.partner.access shows your current access scope:

{
  "meta": {
    "partner": {
      "access": {
        "scope": "restricted",
        "rootProfileIds": ["8f8f8f8f-8f8f-408f-a8f8-8f8f8f8f8f8f"],
        "profileIds": ["7f7f7f7f-7f7f-407f-a7f7-7f7f7f7f7f7f", "8f8f8f8f-8f8f-408f-a8f8-8f8f8f8f8f8f"]
      }
    }
  }
}

Security Best Practices

Never expose your API secret in client-side code or public repositories.

Store secrets securely

Use environment variables or a secrets manager like AWS Secrets Manager, HashiCorp Vault, or similar.

# .env (never commit this file)
PARTNER_SECRET=sk_partner_xxxxxxxxxxxxx

Rotate secrets regularly

Contact support to rotate your API secret. Old secrets become invalid immediately after rotation.

Use HTTPS only

All API requests must use HTTPS. HTTP requests will be rejected.

Monitor usage

Include X-Request-Id in your requests for easier debugging and support.

curl -H "X-Request-Id: req-12345" ...

Authentication Errors

Status	Error Code	Description
401	`UNAUTHORIZED`	Missing or invalid API secret
403	`PROFILE_FORBIDDEN`	Valid secret but no access to requested profile

Example Error Response

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key"
  }
}

Getting Started

Guides

Authentication

Authentication

Getting Your API Secret

Making Authenticated Requests

Alternative: X-API-Key Header

Scopes

Access Control

Security Best Practices

Authentication Errors

Example Error Response

Next Steps

Rate Limiting

API Reference

Getting Started

Guides

​Authentication

​Getting Your API Secret

​Making Authenticated Requests

​Alternative: X-API-Key Header

​Scopes

​Access Control

​Security Best Practices

​Authentication Errors

​Example Error Response

​Next Steps

Rate Limiting

API Reference

Authentication

Getting Your API Secret

Making Authenticated Requests

Alternative: X-API-Key Header

Scopes

Access Control

Security Best Practices

Authentication Errors

Example Error Response

Next Steps