Authentication
All API requests require an API key passed via the X-API-Key header.
Getting a key
- Sign in at app.acqatlas.com
- Go to Settings > API
- Click Create API Key and give it a name
- Copy the key immediately — it won't be shown again
Using your key
Include the X-API-Key header in every request:
curl -H "X-API-Key: ak_live_a1b2c3d4e5f6..." \
"https://api.acqatlas.com/v1/filings?limit=5"
Key format
API keys follow this format:
ak_live_<32 hex characters>
Example: ak_live_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
Only the first 8 characters (ak_live_a1b2c3d4) are stored for display. The full key is hashed with SHA-256 and never stored in plaintext.
Key management
| Action | Description |
|---|---|
| Create | Generate your API key (1 key per account). |
| Revoke | Immediately disable your key. Revoked keys return 401. |
| Rotate | Revoke the current key and create a new one atomically. |
Error responses
| Status | Body | Meaning |
|---|---|---|
401 | {"error": "invalid_api_key", "message": "API key is missing or invalid"} | Key not provided, revoked, or incorrect |
429 | {"error": "rate_limit_exceeded", "message": "Daily request limit exceeded"} | Pro/Enterprise: daily limit hit |
429 | {"error": "lifetime_limit_exceeded", "message": "Free tier lifetime request limit exceeded"} | Free tier: 100 lifetime requests used |
For Pro/Enterprise, the response includes a Retry-After header (resets at midnight UTC). Free tier users who exceed their lifetime limit must upgrade.
Security best practices
- Store your key in environment variables, never in source code
- Rotate your key periodically
- Revoke and regenerate immediately if compromised