Authentication¶
All consumer API requests require an API key. Your tenant administrator creates consumers and provides API keys through the management dashboard at app.xlsxapi.eu.
Passing Your API Key¶
Include your API key in one of these request headers:
Both methods are equivalent. Use whichever your HTTP client supports most naturally.
API Key Format¶
API keys follow the format {tenant_slug}_{uuid}:
Keep your API key secret
API keys are shown only once when created. Treat them like passwords — don't commit them to version control or expose them in client-side code.
Permissions¶
Your API key's access to each engine is configured by the tenant administrator:
| Permission | Grants access to |
|---|---|
can_execute |
Execute the engine (POST /jobs/execute/...) |
can_view_jobs |
View job status and results (GET /jobs/{job_id}) |
can_download |
Download filled Excel files (GET /jobs/{job_id}/download) |
can_view_about |
View engine metadata (GET /jobs/about/...) |
You can only view and download jobs that were created with your own API key.
Error Responses¶
| Status | Meaning |
|---|---|
401 Unauthorized |
Missing, invalid, or inactive API key |
403 Forbidden |
Valid key but insufficient permissions for this engine or action |
// 401 — invalid key
{ "detail": "Invalid API key" }
// 403 — no permission
{ "detail": "Consumer does not have execute permission for this engine" }
IP Whitelisting¶
Engines may optionally restrict access to specific IP addresses or CIDR ranges. If enabled and your IP is not whitelisted, you'll receive 403 Forbidden regardless of your API key permissions.
Contact your tenant administrator if you need your IP added to the whitelist.