Skip to main content
All API requests are authenticated using API keys created in Palm Console (platform.getpalm.com).

API keys

API keys are long-lived credentials used for all server-side API calls. They’re created and managed in Console.

Key format

The key prefix tells you the environment:
PrefixEnvironmentBilling
sk_test_TestNot billed
sk_live_ProductionBilled

Usage

Include the API key in the Authorization header as a Bearer token:
Bash
curl -X POST https://api.getpalm.com/v1/business/registry/search \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer sk_test_...' \
  -d '{
    "name": "Acme Corporation",
    "registration_jurisdiction": "US-CA"
  }'

Key security

When you create an API key, the raw key is returned once. Palm stores a cryptographic hash — not the key itself. If you lose a key, you’ll need to create a new one. Each API key is tied to one organization. All requests authenticated with that key operate within that organization’s context.

Test vs production

The key prefix determines the mode, which affects:
  • Billing: Production requests are metered and billed. Test requests are free.
  • External providers: Some verification providers use different credentials in each mode.
  • Data isolation: Test and production data are kept separate.
Use test keys during development and integration testing.

Error handling

Status codeMeaning
400 Bad RequestInvalid request parameters.
401 UnauthorizedMissing or invalid credentials.
403 ForbiddenValid credentials but insufficient permissions.
404 Not FoundResource not found.
429 Too Many RequestsRate limit exceeded.
500 Internal Server ErrorServer error.
Common causes of 401 errors: missing Authorization header, malformed Bearer token, or expired / revoked API key. Error responses follow the RFC 7807 Problem Details format:
JSON
{
  "type": "https://api.getpalm.com/problems/validation_error",
  "title": "Validation Error",
  "status": 400,
  "detail": "Request validation failed",
  "instance": "/v1/business/registry/search"
}

Best practices

  • Store API keys securely: Use environment variables or a secrets manager. Never commit keys to source control.
  • Use test keys for development: Reserve sk_live_ keys for production systems.
  • Rotate keys periodically: Create new keys and deprecate old ones on a regular schedule.
  • Monitor key usage: Check Console for unusual activity patterns.

Rate limiting

All authenticated requests are subject to rate limits. When you exceed the limit, the API returns 429 Too Many Requests with the following headers:
HeaderDescription
X-RateLimit-LimitMaximum requests per minute.
X-RateLimit-RemainingRequests remaining in the current window.
X-RateLimit-ResetUnix timestamp when the window resets.
Back off and retry after the reset window.

Next steps