API ReferenceAuthentication

Authentication

All SALLY API requests require authentication using API keys with Bearer token authentication.

API Keys

Get your API key from the SALLY Dashboard under Settings > API Keys.

Key Types

Staging Keys (sk_staging_*)

  • For development and testing
  • Rate limit: 1,000 requests/hour
  • Non-production data only

Production Keys (sk_prod_*)

  • For production use
  • Rate limit: 10,000 requests/hour
  • Full access to production resources

Making Authenticated Requests

Using Bearer Token

Include your API key in the Authorization header:

curl -X POST https://sally-api.apps.appshore.in/api/v1/routes/plan \
  -H "Authorization: Bearer sk_staging_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"origin": {...}, "destination": {...}}'

JavaScript Example

const response = await fetch('https://sally-api.apps.appshore.in/api/v1/routes/plan', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.SALLY_API_KEY}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    origin: { /* ... */ },
    destination: { /* ... */ }
  })
})
 
const data = await response.json()

Python Example

import requests
import os
 
headers = {
    'Authorization': f'Bearer {os.environ["SALLY_API_KEY"]}',
    'Content-Type': 'application/json'
}
 
response = requests.post(
    'https://sally-api.apps.appshore.in/api/v1/routes/plan',
    headers=headers,
    json={
        'origin': { ... },
        'destination': { ... }
    }
)
 
data = response.json()

Error Handling

Invalid API Key (401)

{
  "statusCode": 401,
  "message": "Invalid API key",
  "error": "Unauthorized"
}

Missing API Key (401)

{
  "statusCode": 401,
  "message": "No API key provided",
  "error": "Unauthorized"
}

Rate Limit Exceeded (429)

{
  "statusCode": 429,
  "message": "Rate limit exceeded",
  "error": "Too Many Requests"
}

Best Practices

DO:

  • Store API keys in environment variables
  • Use different keys for staging and production
  • Rotate keys regularly
  • Monitor rate limit headers

DON’T:

  • Commit API keys to version control
  • Expose keys in client-side code
  • Share keys between team members
  • Use production keys in development

Security

  • All requests must use HTTPS
  • API keys are prefixed (sk_staging_* or sk_prod_*)
  • Keys can be revoked from the dashboard
  • Failed auth attempts are logged

Next Steps