Skip to main content
← Back to Docs

Authentication

Secure your API requests with Bearer token authentication.

Overview

The CollectIQ API uses API keys for authentication. Every request (except /health and public scan tracking) must include a valid API key in the Authorization header.

http
GET /api/v1/buyer-requests HTTP/1.1
Host: collectiqhq.com
Authorization: Bearer ciq_live_a1b2c3d4e5f6...
Content-Type: application/json

Creating API Keys

  1. Navigate to Portal → API Keys
  2. Click "Create API Key" and give it a descriptive name
  3. Select the scopes the key needs (or leave blank for full access)
  4. Copy the secret immediately — it's shown only once

⚠ Important: Store your API key securely. Never commit it to version control or expose it in client-side code.

SDK Authentication

typescript
import { createCollectIQ } from '@collectiq/sdk';

const ciq = createCollectIQ({
  baseUrl: 'https://collectiqhq.com/api',
  apiKey: process.env.COLLECTIQ_API_KEY,
});

// All requests are now authenticated
const requests = await ciq.buyerRequests.list();

cURL Example

bash
curl -X GET https://collectiqhq.com/api/v1/buyer-requests \
  -H "Authorization: Bearer ciq_live_a1b2c3d4..." \
  -H "Content-Type: application/json"

Scopes

API keys can be scoped to limit access. Available scopes:

read:requestsRead buyer requests
write:requestsCreate and update buyer requests
read:inventoryRead inventory items
write:inventoryCreate and update inventory
read:tradesRead trades and offers
write:tradesCreate and transition trades
read:webhooksRead webhook configurations
write:webhooksManage webhooks
adminFull workspace access

Error Responses

401 Unauthorized

json
{
  "code": "UNAUTHORIZED",
  "message": "Missing or invalid API key"
}

403 Forbidden

json
{
  "code": "INSUFFICIENT_SCOPE",
  "message": "API key lacks required scope: write:inventory"
}

429 Rate Limited

json
{
  "code": "RATE_LIMITED",
  "message": "Too many requests. Retry after 60 seconds.",
  "details": { "retry_after": 60 }
}

Rate Limiting

API requests are rate-limited per workspace. The SDK automatically retries on 429 responses with exponential backoff.

Default limit

100 req/min

Burst limit

20 req/sec