Talentino Docs

Authentication & Rate Limits

How Partner API keys are accepted, what they grant, and the per-key rate limit.

Bearer API keys

Every /api/v1 write endpoint — and the existing protected read endpoints — accept a Partner API key as a Bearer token instead of a session cookie:

Authorization: Bearer tlt_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

A valid key resolves to the same authorization context a logged-in session would produce — the request runs as the user who created the key (created_by), scoped to that key's Business Unit. No route needs special handling; the middleware builds an identical context for both auth modes.

Key format

  • Prefix: tlt_
  • Shape: tlt_ followed by 43 URL-safe base64 characters (47 chars total), i.e. ^tlt_[A-Za-z0-9_-]{43}$.
  • Only the SHA-256 hash is stored server-side; the plaintext is shown once at creation.

Only Bearer tokens with the tlt_ prefix are treated as API keys. A Bearer token without that prefix falls through to session auth (it may be some other token type). A malformed tlt_… token is rejected with 401 — it never silently falls through.

What a key grants

  • Full Business Unit access. A key has the same reach as its creating admin. There are no scopes.
  • Tenant binding is fixed at creation. The Business Unit comes from the key row, not from the user's current BU. If the creator later moves BUs, the key keeps its original BU — revocation is the control.
  • Admin gating still applies. Endpoints that require an admin role (e.g. managing API keys themselves) reject member-created keys with 403, just as they would a member session.

Revocation

Revoke a key from Settings → API Keys. Revocation is immediate (the cached lookup is purged eagerly) and is the only way to invalidate a key — keys do not expire on their own.

Rate limits

Requests are limited per API key:

  • 60 requests per minute, sliding window.
  • Exceeding it returns 429 with the standard error body:
{ "error": "Rate limit exceeded", "success": false }

Notes:

  • The limit is keyed on the API key's row id, not the plaintext or hash.
  • Rate limiting is applied after the key is verified — unverified/garbage keys are simply 401'd, not counted against any limit.

Error shape

All Partner API errors share one envelope:

{ "error": "human-readable message", "success": false }
StatusMeaning
400Invalid request body, import_activity_id, or URL
401Missing/malformed/unknown/revoked key
402Insufficient credits for the billable action — see Credit API
403Key lacks the required (admin) role
404Referenced import_activity_id / resume_id not in your Business Unit
409Duplicate document (content-hash dedup; production stages only)
413Document too large (5 MB cap)
415Unsupported document type or request Content-Type
422Bulk: all items failed / Job Match: all candidates failed
429Rate limit exceeded
502Failed to fetch a document from a URL
500Unexpected error

See the Partner API v1 reference for per-endpoint details.

On this page