Skip to main content
The Rocketpunch Open API supports two authentication methods. App Key authentication is the primary method for server-side API calls — you pass a static key in a request header and gain access to all public endpoints. OAuth 2.0 is available when your app needs to access data on behalf of an individual Rocketpunch user with their explicit consent.

App Key Authentication

Every API request must include your App Key in the X-RP-API-Key header. There are no cookies, query-string tokens, or session flows involved — just a single header on every request. Header format:
X-RP-API-Key: rp_app_xxxxxxxxxxxxxxxx
const res = await fetch(
  "https://openapi.rocketpunch.com/api/v1/jobs?keyword=AI",
  {
    headers: {
      "X-RP-API-Key": process.env.ROCKETPUNCH_API_KEY,
    },
  },
);
const data = await res.json();
All App Keys start with the prefix rp_app_ followed by a unique alphanumeric string. If your key does not start with this prefix, it was not issued correctly — register a new app to generate a valid key.

Getting Your App Key

1

Go to the Developer Portal

Navigate to developers.rocketpunch.com/apps/new and log in with your Rocketpunch account.
2

Fill in your app details

Enter an app name, a short description of your project, and — if you plan to use OAuth 2.0 — a redirect URI. All other fields are optional at this stage.
3

Register and copy your key

Click Register. Your App Key appears immediately on the confirmation screen. Copy it now and store it securely. No separate approval is required — your key is active the moment it is issued.

Keeping Your Key Secure

Your App Key grants access to the Rocketpunch API on your behalf. Treat it with the same care as a database password.
  • Store keys in environment variables. Never hard-code your App Key directly in source code. Use process.env.ROCKETPUNCH_API_KEY in Node.js, os.environ in Python, or your framework’s secrets management.
  • Never commit keys to version control. Add .env files to your .gitignore and audit your repository history if you suspect accidental exposure.
  • Rotate immediately if compromised. If your key is leaked or exposed, go to the Developer Portal, revoke the old key, and issue a new one. Update all services using the old key before revoking it.
Never include your App Key in client-side JavaScript that runs in the browser. Anyone who visits your site can read it from the source. Always proxy API calls through your own server-side backend and keep the key there.

OAuth 2.0 (User Data)

When your app needs to access data that belongs to a specific Rocketpunch user — such as their private profile or saved jobs — you must obtain their consent through the OAuth 2.0 flow. This allows users to grant and revoke access to their data without sharing their password. To enable OAuth 2.0 for your app:
  1. Provide a redirect URI when registering your app at developers.rocketpunch.com/apps/new. This is the URL Rocketpunch redirects users back to after they approve or deny access.
  2. Implement the authorization code flow in your backend to exchange the returned code for an access token.
  3. Include the access token in your API requests instead of your App Key when calling user-specific endpoints.

OAuth 2.0 Guide

Read the full OAuth 2.0 documentation for authorization flows, token exchange, scopes, and refresh token handling.

Authentication Errors

If your request is not authenticated correctly, the API returns one of the following HTTP error codes:
Status CodeNameCauseResolution
401UnauthorizedThe X-RP-API-Key header is missing, malformed, or contains an invalid key.Verify that the header is present on the request and that the key value starts with rp_app_.
403ForbiddenThe App Key is valid, but it does not have permission to access the requested resource.Check whether the endpoint requires OAuth 2.0 user-consent authorization, or contact support if you believe this is an error.
A 401 on your very first request almost always means the header name is misspelled or the key contains an extra space. Log the raw request headers before investigating further.