App Key Authentication
Every API request must include your App Key in theX-RP-API-Key header. There are no cookies, query-string tokens, or session flows involved — just a single header on every request.
Header format:
All App Keys start with the prefix
rp_app_ followed by a unique alphanumeric string. If your key does not start with this prefix, it was not issued correctly — register a new app to generate a valid key.Getting Your App Key
Go to the Developer Portal
Navigate to developers.rocketpunch.com/apps/new and log in with your Rocketpunch account.
Fill in your app details
Enter an app name, a short description of your project, and — if you plan to use OAuth 2.0 — a redirect URI. All other fields are optional at this stage.
Keeping Your Key Secure
Your App Key grants access to the Rocketpunch API on your behalf. Treat it with the same care as a database password.- Store keys in environment variables. Never hard-code your App Key directly in source code. Use
process.env.ROCKETPUNCH_API_KEYin Node.js,os.environin Python, or your framework’s secrets management. - Never commit keys to version control. Add
.envfiles to your.gitignoreand audit your repository history if you suspect accidental exposure. - Rotate immediately if compromised. If your key is leaked or exposed, go to the Developer Portal, revoke the old key, and issue a new one. Update all services using the old key before revoking it.
OAuth 2.0 (User Data)
When your app needs to access data that belongs to a specific Rocketpunch user — such as their private profile or saved jobs — you must obtain their consent through the OAuth 2.0 flow. This allows users to grant and revoke access to their data without sharing their password. To enable OAuth 2.0 for your app:- Provide a redirect URI when registering your app at developers.rocketpunch.com/apps/new. This is the URL Rocketpunch redirects users back to after they approve or deny access.
- Implement the authorization code flow in your backend to exchange the returned code for an access token.
- Include the access token in your API requests instead of your App Key when calling user-specific endpoints.
OAuth 2.0 Guide
Read the full OAuth 2.0 documentation for authorization flows, token exchange, scopes, and refresh token handling.
Authentication Errors
If your request is not authenticated correctly, the API returns one of the following HTTP error codes:| Status Code | Name | Cause | Resolution |
|---|---|---|---|
401 | Unauthorized | The X-RP-API-Key header is missing, malformed, or contains an invalid key. | Verify that the header is present on the request and that the key value starts with rp_app_. |
403 | Forbidden | The App Key is valid, but it does not have permission to access the requested resource. | Check whether the endpoint requires OAuth 2.0 user-consent authorization, or contact support if you believe this is an error. |
A
401 on your very first request almost always means the header name is misspelled or the key contains an extra space. Log the raw request headers before investigating further.