Authentication
All /api/b2b/* endpoints authenticate with an API key in the X-API-Key
header. Keys start with the sa_b2b_ prefix:
curl -s https://api.stockalloy.com/api/b2b/facts/latest \ -H "Content-Type: application/json" \ -H "X-API-Key: $STOCKALLOY_API_KEY" \ -d '{"ticker": "AAPL"}'The sandbox endpoints (/api/sandbox/*) need no key at all — see the
Quickstart.
Getting a key
Section titled “Getting a key”Create keys in the developer portal at stockalloy.com/developer. The plaintext key is shown once at creation; only a hash is stored server-side. If you lose a key, revoke it and create a new one.
Keys can optionally carry an expiry (expires_at). Expired keys are rejected
with 403.
Managing multiple keys
Section titled “Managing multiple keys”An account can hold multiple keys (per environment, per service, per teammate — seat limits depend on your plan). Usage and quotas are tracked per account first, then per key, so splitting traffic across keys does not reset your monthly allowance.
Auth failures
Section titled “Auth failures”| Status | Body | Meaning |
|---|---|---|
401 |
{"error": "API key required"} |
No X-API-Key header sent |
401 |
{"error": "Invalid API key"} |
Key not recognized |
403 |
{"error": "Account is disabled"} |
Account suspended |
403 |
{"error": "API key has been revoked"} |
Key was revoked in the portal |
403 |
{"error": "API key is disabled"} |
Key disabled (not revoked) |
403 |
{"error": "API key has expired"} |
Key past its expires_at |
403 |
{"error": "API key is not entitled for …"} |
Key lacks a product entitlement (contact support — every current plan includes the full read surface) |
Best practices
Section titled “Best practices”- Never ship keys to browsers or mobile apps. Call StockAlloy from your backend and proxy what your product needs.
- Store keys in a secrets manager or environment variables — the examples in
these docs use
$STOCKALLOY_API_KEY. - Rotate by creating a second key, deploying it, then revoking the old one — both keys stay valid during the switch.