Skip to main content

Authentication

Secure access to the Tiquo API using API keys.

API Key Authentication

Bearer Token

Include in Authorization header: 
Authorization: Bearer sk_live_xxxxx

Full Example

curl -X GET https://api.tiquo.co/v1/customers \
  -H "Authorization: Bearer sk_live_xxxxx" \
  -H "Content-Type: application/json"

API Key Types

Live Keys

Production keys for live data:
  • Prefix: sk_live_
  • Access real customer data
  • Process real transactions

Test Keys

Sandbox keys for development:
  • Prefix: sk_test_
  • Isolated test environment
  • No real transactions
Never use live keys in development or testing.

Obtaining API Keys

1

Go to Settings

Navigate to Settings → API Keys
2

Create Key

Click Create API Key
3

Select Environment

Choose Live or Test
4

Set Scopes

Select permissions
5

Copy Key

Save immediately

API Keys Setup

Detailed API key management

Scopes

Available Scopes

ScopePermission
customers:readRead customer data
customers:writeCreate/update customers
orders:readRead orders
orders:writeCreate/manage orders
services:readRead services
services:writeManage services
products:readRead products
products:writeManage products
analytics:readAccess analytics
settings:readRead settings
settings:writeModify settings

Checking Scopes

Insufficient scope returns 403: 
{
  "success": false,
  "error": {
    "code": "insufficient_scope",
    "message": "This endpoint requires customers:write scope"
  }
}

Authentication Errors

401 Unauthorized

Invalid or missing API key: 
{
  "success": false,
  "error": {
    "code": "unauthorized",
    "message": "Invalid API key"
  }
}
Causes:
  • Missing Authorization header
  • Malformed API key
  • Revoked API key

403 Forbidden

Valid key but insufficient permissions: 
{
  "success": false,
  "error": {
    "code": "forbidden",
    "message": "Insufficient permissions for this resource"
  }
}
Causes:
  • Missing required scope
  • Organization-level restriction
  • Resource doesn’t belong to you

Security Best Practices

Use environment variables:
# .env file (never commit!)
TIQUO_API_KEY=sk_live_xxxxx

const apiKey = process.env.TIQUO_API_KEY;
Only request permissions you need:
  • Read-only for dashboards
  • Write only when creating data
Rotate keys periodically:
  1. Create new key
  2. Update applications
  3. Revoke old key
Never use live keys during:
  • Local development
  • Automated testing
  • CI/CD pipelines

Server-Side Only

Never expose API keys in client-side code.
Bad Practice: 
// ❌ Don't do this in frontend code
const response = await fetch('https://api.tiquo.co/v1/customers', {
  headers: {
    'Authorization': 'Bearer sk_live_xxxxx' // Exposed!
  }
});
Good Practice: 
// ✅ Call your backend instead
const response = await fetch('/api/customers');

// Your backend handles the API call
export async function GET() {
  const response = await fetch('https://api.tiquo.co/v1/customers', {
    headers: {
      'Authorization': `Bearer ${process.env.TIQUO_API_KEY}`
    }
  });
  return response.json();
}

Organization Context

API keys are scoped to organizations:
  • Each key belongs to one organization
  • Access only that organization’s data
  • Use separate keys per organization if needed

API Introduction

API overview

API Keys

Key management