API Authentication
Overview
The Uslimato public API uses API key authentication. Every request must include a valid API key in the Authorization header.
Authentication Header
Authorization: Bearer usl_live_<your-api-key>
Example:
curl https://api.uslimato.com/v1/assets \
-H "Authorization: Bearer usl_live_abc123..."
Getting an API Key
API keys are created in the Developer Portal at app.uslimato.com/developer. You need the Admin role to create keys.
Security Guidelines
- Never expose API keys in client-side code (browsers, mobile apps)
- Store keys in environment variables or a secrets manager
- Use the most restrictive set of scopes necessary
- Set an expiry date for keys used in one-off scripts
- Rotate keys regularly for long-lived integrations
- Revoke unused or compromised keys immediately
Error Responses
All API errors return JSON with an error field:
{
"error": "Unauthorized",
"code": "UNAUTHORIZED"
}
| HTTP Status | Code | Meaning |
|---|---|---|
401 | UNAUTHORIZED | Missing or invalid API key |
403 | FORBIDDEN | Key does not have required scope |
404 | NOT_FOUND | Resource not found |
429 | RATE_LIMITED | Rate limit exceeded |
500 | INTERNAL_ERROR | Server error — contact support |
Rate Limiting Headers
Every response includes rate limit information:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests per hour |
X-RateLimit-Remaining | Requests remaining in current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
Tenant Isolation
API keys are scoped to a single tenant. You cannot use a key from one organization to access another organization's data.