> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rocketpunch.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Rocketpunch API Authentication: Keys and OAuth 2.0

> The Rocketpunch API uses App Key authentication via request headers. Learn how to secure your key, format headers, and handle auth errors.

The Rocketpunch Open API supports two authentication methods. **App Key authentication** is the primary method for server-side API calls — you pass a static key in a request header and gain access to all public endpoints. **OAuth 2.0** is available when your app needs to access data on behalf of an individual Rocketpunch user with their explicit consent.

## App Key Authentication

Every API request must include your App Key in the `X-RP-API-Key` header. There are no cookies, query-string tokens, or session flows involved — just a single header on every request.

**Header format:**

```
X-RP-API-Key: rp_app_xxxxxxxxxxxxxxxx
```

<CodeGroup>
  ```javascript JavaScript theme={null}
  const res = await fetch(
    "https://openapi.rocketpunch.com/api/v1/jobs?keyword=AI",
    {
      headers: {
        "X-RP-API-Key": process.env.ROCKETPUNCH_API_KEY,
      },
    },
  );
  const data = await res.json();
  ```

  ```bash cURL theme={null}
  curl -X GET 'https://openapi.rocketpunch.com/api/v1/jobs?keyword=AI' \
    -H 'X-RP-API-Key: rp_app_YOUR_KEY_HERE'
  ```
</CodeGroup>

<Note>
  All App Keys start with the prefix `rp_app_` followed by a unique alphanumeric string. If your key does not start with this prefix, it was not issued correctly — register a new app to generate a valid key.
</Note>

## Getting Your App Key

<Steps>
  <Step title="Go to the Developer Portal">
    Navigate to [developers.rocketpunch.com/apps/new](https://developers.rocketpunch.com/apps/new) and log in with your Rocketpunch account.
  </Step>

  <Step title="Fill in your app details">
    Enter an app name, a short description of your project, and — if you plan to use OAuth 2.0 — a redirect URI. All other fields are optional at this stage.
  </Step>

  <Step title="Register and copy your key">
    Click **Register**. Your App Key appears immediately on the confirmation screen. Copy it now and store it securely. **No separate approval is required** — your key is active the moment it is issued.
  </Step>
</Steps>

## Keeping Your Key Secure

Your App Key grants access to the Rocketpunch API on your behalf. Treat it with the same care as a database password.

* **Store keys in environment variables.** Never hard-code your App Key directly in source code. Use `process.env.ROCKETPUNCH_API_KEY` in Node.js, `os.environ` in Python, or your framework's secrets management.
* **Never commit keys to version control.** Add `.env` files to your `.gitignore` and audit your repository history if you suspect accidental exposure.
* **Rotate immediately if compromised.** If your key is leaked or exposed, go to the Developer Portal, revoke the old key, and issue a new one. Update all services using the old key before revoking it.

<Warning>
  Never include your App Key in client-side JavaScript that runs in the browser. Anyone who visits your site can read it from the source. Always proxy API calls through your own server-side backend and keep the key there.
</Warning>

## OAuth 2.0 (User Data)

When your app needs to access data that belongs to a specific Rocketpunch user — such as their private profile or saved jobs — you must obtain their consent through the OAuth 2.0 flow. This allows users to grant and revoke access to their data without sharing their password.

To enable OAuth 2.0 for your app:

1. Provide a **redirect URI** when registering your app at [developers.rocketpunch.com/apps/new](https://developers.rocketpunch.com/apps/new). This is the URL Rocketpunch redirects users back to after they approve or deny access.
2. Implement the authorization code flow in your backend to exchange the returned code for an access token.
3. Include the access token in your API requests instead of your App Key when calling user-specific endpoints.

<Card title="OAuth 2.0 Guide" icon="arrow-right" href="/api/oauth/overview">
  Read the full OAuth 2.0 documentation for authorization flows, token exchange, scopes, and refresh token handling.
</Card>

## Authentication Errors

If your request is not authenticated correctly, the API returns one of the following HTTP error codes:

| Status Code | Name         | Cause                                                                                   | Resolution                                                                                                                    |
| ----------- | ------------ | --------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| `401`       | Unauthorized | The `X-RP-API-Key` header is missing, malformed, or contains an invalid key.            | Verify that the header is present on the request and that the key value starts with `rp_app_`.                                |
| `403`       | Forbidden    | The App Key is valid, but it does not have permission to access the requested resource. | Check whether the endpoint requires OAuth 2.0 user-consent authorization, or contact support if you believe this is an error. |

<Note>
  A `401` on your very first request almost always means the header name is misspelled or the key contains an extra space. Log the raw request headers before investigating further.
</Note>
