Authentication
The v1 API is currently open — no authentication is required.
Authenticated access via Authorization: Bearer <token> will roll out to paying customers in a future release. Until then, sending an Authorization header is allowed and ignored.
When tokens ship
When auth is enabled, your existing integrations will continue to work — you'll receive your token by email and add it to one header:
curl -X POST https://loanlimit.app/v1/calculate \
-H 'authorization: Bearer proata_live_<your-token>' \
-H 'content-type: application/json' \
-d '{...}'
No other code changes. The token format is opaque (Stripe-style), environment-prefixed (proata_live_ for production, proata_test_ for any future sandbox environment), and revokable.
What changes when tokens ship
The API contract grows two new error codes and three response headers, all reserved in the current OpenAPI spec so your client can opt to handle them now:
| Code | Meaning | HTTP |
|---|---|---|
unauthenticated |
Missing or malformed Authorization header |
401 |
invalid_token |
Token format is wrong | 401 |
expired_token |
Token has passed its expiration | 403 |
revoked_token |
Token has been explicitly revoked | 403 |
quota_exceeded |
Your account has hit its rate or usage limit | 429 |
Rate-limiting response headers (also reserved, not emitted yet): X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset.
For now, none of these are returned by any endpoint. The reservation simply means they're documented as the future shape.