All Spirii Public API requests must be authenticated. The API uses bearer tokens sent in the Authorization header.
Get an API key
API access is granted per Spirii account. To request a key, contact support@spirii.com or your Spirii account manager. You’ll receive:
- A sandbox key for testing against
https://sandbox.api.spirii.com.
- A production key for live traffic against
https://api.spirii.com.
Authorize a request
Send the key in the Authorization header, prefixed with Bearer:
Authorization: Bearer YOUR_API_KEY
Example
curl https://api.spirii.com/v2/locations \
-H "Authorization: Bearer $SPIRII_API_KEY"
Errors
| Status | Reason |
|---|
401 Unauthorized | Missing or malformed Authorization header. |
401 Unauthorized | API key is invalid, expired, or revoked. |
403 Forbidden | Key is valid but lacks permission for the resource. |
Security best practices
Treat API keys like passwords. Never commit them to source control or embed them in mobile apps or front-end bundles.
- Store keys in a secret manager or environment variables — never in code.
- Use separate keys per environment (sandbox vs. production) and per service.
- Rotate keys regularly. To rotate without downtime: provision a new key, roll it into your application, then revoke the old one.
- Restrict outbound calls to the Spirii API to known IP ranges where possible.
