Authentication

All API requests require a valid API key sent as a Bearer token.

Token Format

API keys follow the format alm_live_xxxxxxxxxxxxxxxxxxxx. Keys are bound to a single account and should never be shared or committed to version control.

Obtain your API key from the pricing page by requesting access.

Header Format

Pass your key in the Authorization header using the Bearer scheme:

HTTP Header

Authorization: Bearer alm_live_xxxxxxxxxxxxxxxxxxxx

cURL

curl https://api.almuten.io/v1/positions/today \
  -H "Authorization: Bearer YOUR_API_KEY"

TypeScript (fetch)

const response = await fetch("https://api.almuten.io/v1/positions/today", {
  headers: {
    Authorization: "Bearer YOUR_API_KEY",
  },
});

Authentication Errors

When authentication fails, the API returns one of these responses:

401 Unauthorized — Missing or invalid token

Returned when the Authorization header is missing, malformed, or contains an invalid key.

{
  "error": {
    "status": 401,
    "message": "Invalid or missing API key",
    "requestId": "req_abc123def456"
  }
}

403 Forbidden — Insufficient access

Returned when your API key is valid but your plan does not include access to the requested endpoint. Check your plan's endpoint access tier.

{
  "error": {
    "status": 403,
    "message": "Endpoint requires Pro plan or higher",
    "requestId": "req_abc123def456"
  }
}

Best Practices

Store your API key in an environment variable, not in source code.
Never expose your key in client-side JavaScript. All API calls should go through your backend.
Rotate your key immediately if you suspect it has been compromised.
Use a separate key for development and production environments.

Rate Limits — Request quotas and sliding-window behavior
Error Codes — Complete error response reference