Skip to content

Authentication

All /api/b2b/* endpoints authenticate with an API key in the X-API-Key header. Keys start with the sa_b2b_ prefix:

Terminal window
curl -s https://api.stockalloy.com/api/b2b/facts/latest \
-H "Content-Type: application/json" \
-H "X-API-Key: $STOCKALLOY_API_KEY" \
-d '{"ticker": "AAPL"}'

The sandbox endpoints (/api/sandbox/*) need no key at all — see the Quickstart.

Create keys in the developer portal at stockalloy.com/developer. The plaintext key is shown once at creation; only a hash is stored server-side. If you lose a key, revoke it and create a new one.

Keys can optionally carry an expiry (expires_at). Expired keys are rejected with 403.

An account can hold multiple keys (per environment, per service, per teammate — seat limits depend on your plan). Usage and quotas are tracked per account first, then per key, so splitting traffic across keys does not reset your monthly allowance.

Status Body Meaning
401 {"error": "API key required"} No X-API-Key header sent
401 {"error": "Invalid API key"} Key not recognized
403 {"error": "Account is disabled"} Account suspended
403 {"error": "API key has been revoked"} Key was revoked in the portal
403 {"error": "API key is disabled"} Key disabled (not revoked)
403 {"error": "API key has expired"} Key past its expires_at
403 {"error": "API key is not entitled for …"} Key lacks a product entitlement (contact support — every current plan includes the full read surface)
  • Never ship keys to browsers or mobile apps. Call StockAlloy from your backend and proxy what your product needs.
  • Store keys in a secrets manager or environment variables — the examples in these docs use $STOCKALLOY_API_KEY.
  • Rotate by creating a second key, deploying it, then revoking the old one — both keys stay valid during the switch.