Authentication
Overview
The Astalty API authenticates every request with an API key (a bearer token). You create and manage keys in the API Dashboard — see How to set up an API key.
Authenticating a request
Send your API key in the Authorization header as a Bearer token. We also recommend sending an Accept: application/json header so responses are always returned as JSON.
curl https://api.app.astalty.com.au/public/v1/participants \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Accept: application/json"
A request with a missing, malformed or revoked key is rejected with a 401 Unauthorized response.
Access levels and permissions
Every API key has an access level that you choose when creating the key (and can change later):
| Access level | What the key can do |
|---|---|
| Full Access | Read, create, update and delete data. |
| Read Only | Read data only. Create, update and delete requests return 403 Forbidden. |
On top of the access level, a key inherits the account owner's role-based permissions. Every endpoint still enforces the same permission checks used in the app — if the account owner couldn't perform an action in the web interface, the API will return a 403 Forbidden response for the equivalent request.
See How to set up an API key for details on choosing and changing access levels.
Rate limiting
The public API is rate limited to 60 requests per minute per API key. If you exceed the limit, requests return 429 Too Many Requests. Build a short delay and retry into your integration, and avoid making large bursts of calls in a tight loop.
Error responses
The API uses standard HTTP status codes and returns a JSON body describing the problem.
| Status | Meaning |
|---|---|
200 / 201 | Success |
401 Unauthorized | Missing, invalid or revoked API key |
403 Forbidden | The key doesn't have permission for this action (including write requests made with a Read Only key) |
404 Not Found | The resource doesn't exist (or isn't visible to your account) |
422 Unprocessable Entity | Validation failed — see the errors object for per-field messages |
429 Too Many Requests | Rate limit exceeded |
A typical error body looks like this:
{
"message": "The given data was invalid.",
"errors": {
"email": ["The email field is required."]
}
}
Request history
Every API request made with your keys is logged in the API Dashboard, where you can inspect the status, timing, request body and response body. See How to set up an API key for details.