Authentication
All APRO REST endpoints use a single API key, passed in the
x-api-key request header. There is no OAuth flow and no token
refresh — keys are long-lived and scoped to either a tenant or a single
location.
Header
POST /api/v1/external/order HTTP/1.1Host: my.apro.atx-api-key: sk_live_pLpXZq8S…content-type: application/jsonKey scope
Every APRO REST key is scoped to a single location. A request succeeds only if the location derived from the endpoint matches the location bound to the key.
| Endpoint style | Location is derived from |
|---|---|
POST /api/v1/reports/receipts | the API key itself. |
POST /api/v1/locations/{location}/reports/receipts | {location} in the URL — must match the key. |
A location-scoped key fails closed if reused against another location and is safe to hand to a partner or a single deployment.
Obtaining a key
Keys are issued by the APRO account team. Contact your account manager or apro.at/support to request one. Rotation is supported; the retired key is kept valid for a grace period so you can roll over without downtime.
Storing keys
- Never commit a key to source control.
- Store keys in a secret manager (Azure Key Vault, 1Password, HashiCorp Vault, GitHub Actions / Azure DevOps secrets).
- Inject them at runtime as environment variables (
APRO_API_KEY).
Error responses
| Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid x-api-key header. |
403 Forbidden | Key valid but not authorised for the requested location or action. |
429 Too Many Requests | You are being rate-limited. Back off and retry with exponential jitter. |