Authentication
All API requests must include a valid API key.
Creating an API Key
- Go to Settings > API Keys in your dashboard
- Click Generate New Key
- Copy the key immediately — it’s only shown once
- Store it securely (environment variable, secrets manager)
Using Your Key
Include the key in the Authorization header of every request:
curl https://rentalot.ai/api/v1/properties \
-H "Authorization: Bearer ra_abc123..."Key Format
Keys are prefixed with ra_ followed by 32 random bytes (base64url-encoded). They are hashed with SHA-256 before storage — Rentalot cannot recover a lost key, so save it when it’s generated.
Failed Authentication
A missing, malformed, expired, or revoked key returns 401 Unauthorized in RFC 9457 Problem Details format:
{
"type": "https://rentalot.ai/problems/unauthorized",
"title": "Unauthorized",
"status": 401,
"detail": "Missing or invalid API key"
}Revoking Keys
Revoke any key from Settings > API Keys. Revocation is immediate — any requests using that key will return 401 Unauthorized.
API Access by Plan
Your API key inherits the rate limits and permissions of your plan:
| Plan | Access | API Keys | Global RPM | Daily Requests |
|---|---|---|---|---|
| Free Trial | No API | 0 | — | — |
| Starter | Read-only | 2 | 30/min | 5,000/day |
| Pro | Full CRUD | 5 | 120/min | 50,000/day |
| Scale | Full + priority | 20 | 600/min | 500,000/day |
Write operations have additional per-resource daily and monthly limits. Upgrade your plan to increase limits.
Security
- Never commit API keys to version control
- Use environment variables to store keys
- Rotate keys periodically
- Each key is scoped to your account — it can only access your properties and data