Skip to Content
API referenceAuthentication

Authentication

Every request to api.inferio.xyz carries two headers:

HeaderValueNotes
AuthorizationBearer <token>Token from Dashboard → Settings → API keys
X-Merchant-ID<your merchant id>Scopes the token to your merchant. Required even though the token itself is merchant-scoped — defence-in-depth.

Tokens come in two flavours:

PrefixEnvironmentNotes
inf_dev_…Sandbox / devUse against api-dev.inferio.xyz. Hits the same NTA validator but documents land in the staging bucket and are purged after 7 days.
inf_live_…ProductionUse against api.inferio.xyz. Real billing, real retention per your contract.
curl https://api-dev.inferio.xyz/api/v1/ocr/requests \ -H "Authorization: Bearer inf_dev_5e90b3..." \ -H "X-Merchant-ID: merchant_abc123"

Generating tokens

  1. Sign in to the dashboard
  2. Settings → API keys
  3. Create token — name it (e.g. production-server, staging-server), pick environment (test/live), and copy the secret immediately — we hash it server-side, so this is the only time you’ll see the plain string

Rotating tokens

Tokens are rotatable with a grace window — the old and new tokens both work for up to 24h after rotation, so you can roll updates without a window of downtime.

  1. Dashboard → Settings → API keys → Rotate
  2. Update your secret manager / k8s secret with the new token
  3. Wait for the grace window or click Revoke old token when you’ve verified the new one is in use

Never embed an inf_live_* token in a browser bundle, mobile app, or anywhere a customer could exfiltrate it. The token grants full read/write access on your merchant. Server-side only.

Token scopes (coming soon)

Today’s tokens have full merchant-wide access. Per-endpoint scopes (e.g. read-only vs read+write) are on the roadmap — when they ship, the existing tokens will keep their current full-access behaviour unless you explicitly downgrade.

Drop your email on the Developers section  if you want the heads-up when scopes go live.

401 vs 403 vs 200-with-error

Inferio uses three failure modes deliberately:

HTTP codeWhen
401Token missing, malformed, or revoked
403Token valid but X-Merchant-ID mismatch — wrong merchant
200 + error_codeApplication-layer business error (session expired, validation failed)

This split lets your retry logic do the right thing — 401/403 means auth is broken (don’t retry), 200-with-error means logic-level issue that may need operator attention.