Authentication

Secure your API requests with Bearer token authentication.

Every request to the Straply API must include a valid API key. Keys are passed as Bearer tokens in the Authorization header. No OAuth, no session cookies — just a single header.

API key format #

Keys are prefixed to indicate their environment. Use the prefix to confirm you are targeting the right environment before making a call.

Prefix	Environment	Behavior
`stp_live_`	Production	Returns live property data. Requests count toward your plan quota.
`stp_test_`	Sandbox	Returns realistic mock data. Requests do not count toward limits.

Example key

stp_live_a1b2c3d4e5f6g7h8i9j0klmnopqrstuv

Keys are 40 characters total — a 9-character prefix plus a 31-character random string.

Making authenticated requests #

Include your key in the Authorization header with the Bearer scheme. This works the same for every endpoint and HTTP method.

GET /v1/properties/{id}

cURL

$ curl https://api.straply.com/v1/properties/stp_a3f7c2e91b4d \
  -H "Authorization: Bearer stp_live_YOUR_KEY"

Python

import requests

resp = requests.get(
    "https://api.straply.com/v1/properties/stp_a3f7c2e91b4d",
    headers="Authorization": "Bearer stp_live_YOUR_KEY"
)
data = resp.json()

Key management #

Manage your API keys from the Dashboard → API Keys page. Three operations are available:

Create

Generate new keys at any time. Each key has its own usage tracking.

Revoke

Immediately invalidate a compromised key. Takes effect in under 30 seconds.

Roll

Generate a replacement key that inherits the same permissions. The old key remains valid for 24 hours to give you time to update your code.

Security best practices #

Never expose API keys in client-side code. Browser JavaScript, mobile app bundles, and public repositories are all visible to end users. Always call the Straply API from a backend server.

Store keys in environment variables or a secrets manager, not in source code.
Use stp_test_ keys during development and CI.
Rotate production keys every 90 days using the Roll feature.
Use separate keys for separate applications so you can revoke one without affecting others.
Add .env and *.key to your .gitignore.

Error responses #

When authentication fails, the API returns a 401 Unauthorized response with a structured error body. Common causes: missing header, malformed key, or a revoked key.

401 Unauthorized


  "error": 
    "code": "unauthorized",
    "message": "Invalid or missing API key.",
    "status": 401

Status	Code	Cause
`401`	unauthorized	No `Authorization` header, or the key is invalid / revoked.
`403`	forbidden	The key is valid but does not have permission for this resource.

See the Errors reference for the full list of error codes and troubleshooting steps.

Previous Introduction Next Properties