Authentication - Conduit

API keys

Send your key on every authenticated request, as either header:

curl "https://api.financialdatapi.com/v1/public/coverage" \
  -H "x-api-key: $CONDUIT_API_KEY"

Keys are stored hashed and compared in constant time. Keep them server-side; never ship a key in client-side code.

Public, no-key endpoints

These are open so agents and tooling can discover the API before authenticating:

Endpoint	Purpose
`GET /health`	Liveness check.
`GET /ready`	Readiness check.
`GET /openapi.json`	OpenAPI 3.1 document.
`GET /llms.txt`	Compact, sectioned index of every endpoint — start here as an agent.
`GET /llms-full.txt`	Full endpoint reference with parameters.

Errors

Errors use a stable envelope and codes — distinguish “don’t retry” (bad_request, not_found, unauthorized, forbidden) from “retry with backoff” (rate_limited, internal_error):

{
  "error": { "code": "unauthorized", "message": "Missing or invalid API key", "request_id": "req_..." },
  "requestId": "req_..."
}

Status	Code	Meaning
400	`bad_request`	Malformed request or unknown query param.
401	`unauthorized`	Missing or invalid key.
403	`forbidden`	Valid key, insufficient scope.
404	`not_found`	No such resource.
429	`rate_limited`	Slow down; retry after a pause.
500	`internal_error`	Transient server error; retry with backoff.

Scopes

Keys are least-privilege scoped (data:read for the data API; ops:read for health/coverage). Most usage only needs data:read. Request the scopes you need when you get a key.

​API keys

​Public, no-key endpoints

​Errors

​Scopes

API keys

Public, no-key endpoints

Errors

Scopes