Authentication
The public API authenticates with a publishable key — a token prefixed with
pk_live_ that you create in the dashboard under Settings → API keys.
Presenting the key
Section titled “Presenting the key”Send the key on every request, either as a Bearer token (preferred) or in the
X-Api-Key header.
curl https://demo.nordfleet.io/api/v1/asset-groups \ -H "Authorization: Bearer pk_live_xxxxxxxx"curl https://demo.nordfleet.io/api/v1/asset-groups \ -H "X-Api-Key: pk_live_xxxxxxxx"Allowed origins
Section titled “Allowed origins”Each key can restrict which website origins may use it. When a request includes
an Origin header (a browser request), the origin must be in the key’s allow
list or the request is rejected with 403 ORIGIN_NOT_ALLOWED.
- Add your site’s origins (for example
https://yourshop.com) when creating the key. - Server-to-server calls send no
Originheader and are not origin-checked.
Channels: browser vs. server
Section titled “Channels: browser vs. server”The API distinguishes two channels by the presence of an Origin header:
| Channel | Detected when | Session token required for writes? |
|---|---|---|
| Server | No Origin header |
No |
| Browser | Origin header present |
Yes |
Browser channel: session tokens
Section titled “Browser channel: session tokens”Browser callers must first mint a short-lived session token and send it as
X-Session-Token on write requests (quotes, bookings).
-
POST /sessionswith the key and the browser’sOrigin— returns a session token valid for one hour. -
Send
X-Session-Token: <token>on subsequentPOST /quotesandPOST /bookingscalls from that origin.
Server-to-server callers skip this entirely — they can call the write endpoints directly with just the key.
Scopes
Section titled “Scopes”Keys are granted scopes at creation time. The public API scopes are:
availability:readrates:readquotes:createbookings:createbookings:read
A request to an endpoint outside the key’s scopes is rejected with 403.