Authentication
The v1 API requires an API key on every request. Send it as a bearer token in the Authorization header:
curl -X POST https://loanlimit.app/v1/calculate \
-H 'authorization: Bearer proata_live_<your-token>' \
-H 'content-type: application/json' \
-d '{...}'
Requesting a key
Email api@desata.io to request an API key. Tell us the institution or product the key is for; we'll reply with a proata_live_ token.
Token format
Tokens are opaque (Stripe-style) and environment-prefixed:
proata_live_…— production credentials.proata_test_…— a future sandbox environment; not issued today.
Tokens are revokable. If you suspect a token has been exposed, email api@desata.io and we will revoke it and issue a replacement.
Errors
| Code | Meaning | HTTP |
|---|---|---|
unauthenticated |
Missing or malformed Authorization header |
401 |
invalid_token |
Token format is wrong | 401 |
expired_token |
Token has passed its expiration | 403 |
revoked_token |
Token has been explicitly revoked | 403 |
Match on the code value, not the human-readable message — see the stability contract.
Rate limiting (reserved)
X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset response headers and a quota_exceeded (HTTP 429) error code are reserved in the OpenAPI spec. They are not emitted today — we are still settling on appropriate per-account limits. When rate limits ship, the headers and error code will appear without a v1 contract break.