Authentication & Rate Limits
How Partner API keys are accepted, what they grant, and the per-key rate limit.
Bearer API keys
Every /api/v1 write endpoint — and the existing protected read endpoints — accept a Partner API key as a Bearer token instead of a session cookie:
Authorization: Bearer tlt_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxA valid key resolves to the same authorization context a logged-in session would produce — the request runs as the user who created the key (created_by), scoped to that key's Business Unit. No route needs special handling; the middleware builds an identical context for both auth modes.
Key format
- Prefix:
tlt_ - Shape:
tlt_followed by 43 URL-safe base64 characters (47 chars total), i.e.^tlt_[A-Za-z0-9_-]{43}$. - Only the SHA-256 hash is stored server-side; the plaintext is shown once at creation.
Only Bearer tokens with the tlt_ prefix are treated as API keys. A Bearer
token without that prefix falls through to session auth (it may be some
other token type). A malformed tlt_… token is rejected with 401 — it never
silently falls through.
What a key grants
- Full Business Unit access. A key has the same reach as its creating admin. There are no scopes.
- Tenant binding is fixed at creation. The Business Unit comes from the key row, not from the user's current BU. If the creator later moves BUs, the key keeps its original BU — revocation is the control.
- Admin gating still applies. Endpoints that require an admin role (e.g. managing API keys themselves) reject member-created keys with
403, just as they would a member session.
Revocation
Revoke a key from Settings → API Keys. Revocation is immediate (the cached lookup is purged eagerly) and is the only way to invalidate a key — keys do not expire on their own.
Rate limits
Requests are limited per API key:
- 60 requests per minute, sliding window.
- Exceeding it returns
429with the standard error body:
{ "error": "Rate limit exceeded", "success": false }Notes:
- The limit is keyed on the API key's row id, not the plaintext or hash.
- Rate limiting is applied after the key is verified — unverified/garbage keys are simply
401'd, not counted against any limit.
Error shape
All Partner API errors share one envelope:
{ "error": "human-readable message", "success": false }| Status | Meaning |
|---|---|
400 | Invalid request body, import_activity_id, or URL |
401 | Missing/malformed/unknown/revoked key |
402 | Insufficient credits for the billable action — see Credit API |
403 | Key lacks the required (admin) role |
404 | Referenced import_activity_id / resume_id not in your Business Unit |
409 | Duplicate document (content-hash dedup; production stages only) |
413 | Document too large (5 MB cap) |
415 | Unsupported document type or request Content-Type |
422 | Bulk: all items failed / Job Match: all candidates failed |
429 | Rate limit exceeded |
502 | Failed to fetch a document from a URL |
500 | Unexpected error |
See the Partner API v1 reference for per-endpoint details.