OverviewAuthentication

Authentication

How API keys work, where to find yours, and how requests are scoped to your company.

API keys

All catalog endpoints require an API key, passed as the apiKey query parameter:

curl "https://referenzen.com/api/v1/branches/branches?apiKey=YOUR_KEY&lang_ID=1"

An API key belongs to a user within a company. Members find their key in the workspace: avatar menu → Settings → API.

Company scoping

The key does more than authenticate - it scopes every request:

  • All endpoints return only the key owner's company data. You never pass a company ID; it is derived from the key server-side and cannot be overridden.

  • The key's owner also determines the default content language when no valid lang_ID is given.

For an agency embedding a client's references, this means: use an API key from the client's company account (ideally from a dedicated, read-only user created for the integration — see Team & Permissions).

Failure behavior

SituationResponse
No apiKey parameter401 with empty body
Unknown/revoked key401 with empty body
Key valid, but resource belongs to another company401

The export endpoint's double authentication

GET /references/export returns your complete reference list including internal fields — so it requires user credentials in addition to the API key (login and password query parameters of a user belonging to the company). Use it for back-office synchronization only, never in browser code.

Key handling recommendations

Treat API keys like passwords. The catalog endpoints only expose published content, but a key still identifies a user account.

  • Create a dedicated integration user per website/integration, so keys can be rotated or revoked independently of personal accounts.

  • Prefer calling the API server-side (from your CMS or a small proxy) when you don't want the key visible in page source.

  • Deactivating the owning user in Team & Permissions invalidates the key immediately — that's the emergency stop.

Looking for AI-assistant access instead? That's a separate credential system with Bearer tokens — see AI Access (MCP Gateway).