🔐Authentication

How to authenticate with the API

---

API Key

All requests require the x-replenit-auth-key header:

POST /customers/{tenantId}
Host: api.replen.it
Content-Type: application/json
x-replenit-auth-key: YOUR_BASE64_API_KEY

---

Get Your API Key

1. Login to your Replenit panel. Reach out to Customer Success Manager if you didnt have invitation email

2. Go to Settings → API Keys

3. Click Generate New Key

4. Copy the key (it won't be shown again)

---

Secure Storage

Use environment variables:

# .env file (add to .gitignore)
REPLENIT_API_KEY=your_base64_api_key_here
REPLENIT_TENANT_ID=your_tenant_id_here

Python:

import os
from dotenv import load_dotenv

load_dotenv()
API_KEY = os.getenv('REPLENIT_API_KEY')

Node.js:

require('dotenv').config();
const API_KEY = process.env.REPLENIT_API_KEY;

---

Best Practices

1. Never commit keys to version control

2. Use different keys for dev/staging/production

3. Don't expose keys in client-side code (browsers, mobile apps)

4. Rotate keys periodically (e.g. every 6 months)

---

Common Mistakes

❌ Keys in Source Code

# DON'T
API_KEY = "dGVzdF9hcGlfa2V5"  # Hardcoded!

# DO
API_KEY = os.getenv('REPLENIT_API_KEY')

❌ Keys in Version Control

# Add to .gitignore
.env
config.json
secrets/

❌ Client-Side Exposure

// DON'T use API keys in browser/mobile apps
// Use a backend proxy instead
fetch('/api/proxy/customers');

---

Troubleshooting

401 Unauthorized:

• Check x-replenit-auth-key header is present

• Verify API key is correct (no extra spaces)

• Ensure key hasn't been revoked

403 Forbidden:

• Verify tenant ID matches your organization

• Check key permissions in panel

---

Need Help?

Contact support@replen.it