Skip to content

Authentication

The v1 API requires an API key on every request. Send it as a bearer token in the Authorization header:

curl -X POST https://loanlimit.app/v1/calculate \
  -H 'authorization: Bearer proata_live_<your-token>' \
  -H 'content-type: application/json' \
  -d '{...}'

Requesting a key

Email api@desata.io to request an API key. Tell us the institution or product the key is for; we'll reply with a proata_live_ token.

Token format

Tokens are opaque (Stripe-style) and environment-prefixed:

  • proata_live_… — production credentials.
  • proata_test_… — a future sandbox environment; not issued today.

Tokens are revokable. If you suspect a token has been exposed, email api@desata.io and we will revoke it and issue a replacement.

Errors

Code Meaning HTTP
unauthenticated Missing or malformed Authorization header 401
invalid_token Token format is wrong 401
expired_token Token has passed its expiration 403
revoked_token Token has been explicitly revoked 403

Match on the code value, not the human-readable message — see the stability contract.

Rate limiting (reserved)

X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset response headers and a quota_exceeded (HTTP 429) error code are reserved in the OpenAPI spec. They are not emitted today — we are still settling on appropriate per-account limits. When rate limits ship, the headers and error code will appear without a v1 contract break.

Questions

api@desata.io.