Skip to content

Authentication

The public API authenticates with a publishable key — a token prefixed with pk_live_ that you create in the dashboard under Settings → API keys.

Send the key on every request, either as a Bearer token (preferred) or in the X-Api-Key header.

Terminal window
curl https://demo.nordfleet.io/api/v1/asset-groups \
-H "Authorization: Bearer pk_live_xxxxxxxx"

Each key can restrict which website origins may use it. When a request includes an Origin header (a browser request), the origin must be in the key’s allow list or the request is rejected with 403 ORIGIN_NOT_ALLOWED.

  • Add your site’s origins (for example https://yourshop.com) when creating the key.
  • Server-to-server calls send no Origin header and are not origin-checked.

The API distinguishes two channels by the presence of an Origin header:

Channel Detected when Session token required for writes?
Server No Origin header No
Browser Origin header present Yes

Browser callers must first mint a short-lived session token and send it as X-Session-Token on write requests (quotes, bookings).

  1. POST /sessions with the key and the browser’s Origin — returns a session token valid for one hour.

  2. Send X-Session-Token: <token> on subsequent POST /quotes and POST /bookings calls from that origin.

Server-to-server callers skip this entirely — they can call the write endpoints directly with just the key.

Keys are granted scopes at creation time. The public API scopes are:

  • availability:read
  • rates:read
  • quotes:create
  • bookings:create
  • bookings:read

A request to an endpoint outside the key’s scopes is rejected with 403.