Skip to main content

Authentication Method

The Gather API uses API Key authentication via a simple header. All requests must include your API key in the x-api-key header.

Request Format

Include your API key in the x-api-key header: 
x-api-key: your-api-key-here
The API key contains all necessary information including your organization and team context. You don’t need to provide an organization ID separately.

Getting Your API Key

API credentials are created via Eucalyptus (internal admin tool). Contact your Qualifi administrator to obtain your API key.

API Key Format

  • Format: API keys are prefixed with qapi_ followed by a secure random string
  • Example: qapi_abc123def456ghi789jkl012mno345pqr678stu901vwx234yz
  • Scope: API keys are scoped to your organization/team level
  • Permissions: API keys inherit permissions from the organization/team they’re associated with

Example Requests

curl -X GET https://api.prod.qualifi.hr/qsi/gather/questions \
  -H "x-api-key: your-api-key-here"

Authorization Scope

All resources are automatically scoped to your organization/team based on your API key:
  • You can only access resources belonging to your organization
  • API keys inherit permissions from the organization/team they’re associated with
  • Multiple API keys can be created per organization/team
  • API keys can be rotated or revoked independently
  • The organization and team context is automatically determined from your API key

Error Responses

Invalid or missing API keys will result in a 401 Unauthorized response: 
{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid API key"
  },
  "meta": {
    "requestId": "uuid",
    "timestamp": "2024-01-01T00:00:00Z"
  }
}
Missing the x-api-key header will result in: 
{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing authentication header",
    "details": {
      "expectedFormat": "x-api-key header"
    }
  },
  "meta": {
    "requestId": "uuid",
    "timestamp": "2024-01-01T00:00:00Z"
  }
}

API Key Management

  • Multiple Keys: Each organization/team can have multiple API keys
  • Key Rotation: API keys can be rotated/revoked without affecting other keys
  • Read-Only Keys: Support for read-only vs. read-write API keys (future enhancement)
  • Team-Specific Keys: API keys can be scoped to specific teams within an organization
Keep your API keys secure. Never commit them to version control or expose them in client-side code. Store them as environment variables or in secure credential management systems.

Best Practices

  1. Environment Variables: Store API keys in environment variables 
    export GATHER_API_KEY="qapi_your-key-here"
  2. Secure Storage: Use secret management tools (AWS Secrets Manager, HashiCorp Vault, etc.) in production
  3. Key Rotation: Rotate API keys periodically for security
  4. Separate Keys: Use different keys for different environments (production, staging)
  5. Monitor Usage: Regularly review API key usage and revoke unused keys
For credential management operations (create, list, revoke), contact your Qualifi administrator or use the Eucalyptus admin tool.

Next Steps

Quick Start

Make your first authenticated API request

Rate Limits

Understand API rate limits and throttling