Skip to main content

API Key Authentication

All API requests require authentication via an API key passed in the Authorization header using the Bearer scheme. 
Authorization: Bearer insp_your_api_key_here

Getting an API Key

API keys are generated by your Inspecto administrator through the admin panel. Each key is:
  • Company-scoped: Only accesses data for your company
  • Permission-based: Has specific scopes (read/write permissions)
  • Environment-specific: Separate keys for sandbox and production
API keys are shown only once during creation. Store them securely immediately.

Security Best Practices

  • Use environment variables or secret management systems
  • Never commit keys to version control
  • Don’t expose keys in client-side code
  • Use .env files with .gitignore
  • Rotate keys every 90 days
  • Use the rotation endpoint to create new keys
  • Old keys are automatically revoked after rotation
  • Request only the scopes your integration needs
  • Separate keys for read-only vs write operations
  • Use different keys for different services
  • Immediately revoke any compromised keys
  • Monitor key usage in the admin panel
  • Set up alerts for unusual activity

API Key Format

API keys follow a specific format for security and identification: 
insp_<64_hex_characters>
Example: 
insp_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
Keys are hashed using SHA-256 before storage. Only the fingerprint (first 8 characters) is stored in logs for auditing.

Making Authenticated Requests

curl -X GET "https://api.inspecto.com/api/third-party/v1/vehicles" \
  -H "Authorization: Bearer $INSPECTO_API_KEY"

Authentication Errors

401 Unauthorized

Returned when the API key is invalid, missing, or expired. 
{
  "errors": [{
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key"
  }]
}
Common causes:
  • Missing Authorization header
  • Invalid key format
  • Expired or revoked key
  • Incorrect Bearer scheme

403 Forbidden

Returned when the API key lacks required permissions. 
{
  "errors": [{
    "code": "FORBIDDEN",
    "message": "Insufficient permissions",
    "details": {
      "required": ["vehicles:write"],
      "available": ["vehicles:read"]
    }
  }]
}
Solution: Request additional scopes from your administrator.

Testing Authentication

Use the sandbox environment for testing: 
https://sandbox.inspecto.com/api/third-party/v1
Sandbox keys are prefixed with insp_test_ to distinguish them from production keys.