Authentication
How API keys work, where to find yours, and how requests are scoped to your company.
API keys
All catalog endpoints require an API key, passed as the apiKey query parameter:
curl "https://referenzen.com/api/v1/branches/branches?apiKey=YOUR_KEY&lang_ID=1"
An API key belongs to a user within a company. Members find their key in the workspace: avatar menu → Settings → API.
Company scoping
The key does more than authenticate - it scopes every request:
-
All endpoints return only the key owner's company data. You never pass a company ID; it is derived from the key server-side and cannot be overridden.
-
The key's owner also determines the default content language when no valid
lang_IDis given.
For an agency embedding a client's references, this means: use an API key from the client's company account (ideally from a dedicated, read-only user created for the integration — see Team & Permissions).
Failure behavior
| Situation | Response |
|---|---|
No apiKey parameter | 401 with empty body |
| Unknown/revoked key | 401 with empty body |
| Key valid, but resource belongs to another company | 401 |
The export endpoint's double authentication
GET /references/export returns your complete reference list including internal fields — so it requires user credentials in addition to the API key (login and password query parameters of a user belonging to the company). Use it for back-office synchronization only, never in browser code.
Key handling recommendations
Treat API keys like passwords. The catalog endpoints only expose published content, but a key still identifies a user account.
-
Create a dedicated integration user per website/integration, so keys can be rotated or revoked independently of personal accounts.
-
Prefer calling the API server-side (from your CMS or a small proxy) when you don't want the key visible in page source.
-
Deactivating the owning user in Team & Permissions invalidates the key immediately — that's the emergency stop.
Looking for AI-assistant access instead? That's a separate credential system with Bearer tokens — see AI Access (MCP Gateway).