Authentication & API Tokens

All API endpoints require valid authentication to allow access. You can manage API tokens inside the Everee admin portal if you have administrator permission for your company instance.

❗️

API tokens are not publishable

Everee API keys are sensitive system-to-system shared secrets and must not be published in any client-facing codebase. That includes web app code, native mobile app code, and so on. We'll reject requests made from browsers for this reason.

To integrate a client-facing application with Everee, first secure the API key within your backend systems, then create an API endpoint to securely deliver data to your client-side application.

You can generate an API token in the Integrations Hub section of the Everee web app. Find the section called "Everee API" and click the ➕ icon:

Next, make a note of your instance's "Company tenant ID", and then click "Create API token":

The API token, and the numerical tenant/company ID, should be included in all requests using two headers. Your API token must be specific as an HTTP Basic Authentication header, using the basic scheme:

authorization: basic c2tf...
x-everee-tenant-id: 12345

🚧

You may need to base64-encode the API token

If your API token begins with sk_, you will need to Base64-encode the token before including it in your authorization header.

Once an API token has been deleted or rotated, and it has expired, it will no longer be valid for authentication and any requests using that token will respond with an HTTP 401 error.