Skip to main content
All API requests (except /health) require a valid API key passed as a Bearer token in the Authorization header.

API key format

cmp_live_aBcDeFgH.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SegmentDescription
cmpKey prefix (always cmp)
live or testEnvironment (live for production, test for sandbox)
aBcDeFgH8-character lookup identifier
.xxx...44-character secret

Making authenticated requests

Pass your key in the Authorization header with the Bearer scheme: 
curl https://prod-api.civicmarketplace.com/v1/contracts \
  -H "Authorization: Bearer cmp_live_aBcDeFgH.your_secret_here"

Environments

EnvironmentKey prefixBase URL
Productioncmp_live_https://prod-api.civicmarketplace.com
Sandboxcmp_test_https://uat-api.civicmarketplace.com
Use test keys during development. They connect to sandbox data and won’t affect production.

Data scoping

Each API key is scoped to a partner account. You will only see contracts and suppliers that your partner account has been granted access to. If you need access to additional data, contact your account manager.

Key rotation

When you rotate your API key, the previous key can optionally be revoked immediately. Plan for a brief overlap period if you need zero-downtime rotation:
  1. Request a new key from your account manager
  2. Update your application to use the new key
  3. Confirm the old key is no longer in use
  4. Request revocation of the old key

Error responses

If your key is missing, invalid, or revoked: 
{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid API key",
    "request_id": "req_abc123"
  }
}
If your key is valid but you are accessing data outside your partner scope: 
{
  "error": {
    "code": "forbidden",
    "message": "This resource is not accessible with your API key",
    "request_id": "req_def456"
  }
}