Every request is authenticated with an API key sent in the Authorization header.
Authorization: dk_live_your_api_key_here
Content-Type: application/json
API keys
API keys are issued by the doola team, one per environment.
| Prefix | Environment |
|---|
dk_test_ | Sandbox (https://api.test.doola.com) |
dk_live_ | Production (https://api.doola.com) |
Treat API keys as secrets. Use them only from your backend, never in client side code. A sandbox key does not work against production, and the reverse is also true.
| Header | Required | Description |
|---|
Authorization | Yes | Your API key, sent as the raw value (no Bearer prefix). |
Content-Type | On writes | application/json for POST requests. |
Idempotency-Key | On writes | Required on create endpoints. Makes retries safe. |
x-request-id | No | Optional correlation id. Echoed back on the response. |
Idempotency
The create endpoints (POST /v1/partner/customers and POST /v1/partner/companies) require an Idempotency-Key.
- Use a unique value per logical operation, for example a UUID tied to your own record.
- Retrying with the same key and the same body returns the original result and never creates a duplicate.
- Reusing a key with a different body returns
409 E_IDEMPOTENCY_KEY_REUSED.
- After a
4xx, use a fresh key for the corrected request.
