Authentication

The Qudra Partner API uses Bearer token authentication. Every request must include an Authorization header with your API key:

Authorization: Bearer qk_live_a1b2c3d4e5f6…

API key formats

| Prefix | Environment | Base URL | Notes | |--------------|-------------|----------------------------------|---------------------------------------------| | qk_live_… | Production | https://api.qudrah.io/v1 | Real jobs, real webhooks, real billing. | | qk_test_… | Sandbox | https://sandbox.api.qudrah.io/v1| Synthetic data, no billing, no SLA. |

Treat keys like passwords

Keys are shown once at creation time. Store them in your secrets manager (Vault, AWS Secrets Manager, Doppler) and never commit them to git or ship them in client-side bundles.

Issuing a key

Sign in to qudrah.io/partner with your company account.
Open API Keys → Create key.
Pick a label (e.g. production-ats-2026) and an environment (live or test).
Copy the key from the modal — this is the only time it will be displayed.

Using a key

GET/v1/partner/jobs

curl https://api.qudrah.io/v1/partner/jobs \
  -H "Authorization: Bearer $QUDRA_API_KEY"

import { QudraClient } from '@qudra/sdk';
 
const qudra = new QudraClient({ apiKey: process.env.QUDRA_API_KEY! });
const jobs = await qudra.jobs.list();

Rotating a key

Rotate keys whenever a developer leaves, a deploy log might have leaked, or every 90 days as good hygiene.

Create a new key with the same label suffixed -v2.
Deploy the new key to your environment.
Once traffic has cut over (check lastUsedAt in the dashboard), revoke the old key.

Revoked keys reject all requests with 401 partner.unauthorized immediately.

Error responses

| Status | Code | Meaning | |--------|-----------------------|----------------------------------------------------| | 401 | partner.unauthorized| Missing, malformed, or revoked key. | | 403 | partner.forbidden | Key is valid but lacks permission for the action. | | 429 | partner.rate_limit | Per-minute rate limit hit — see Rate limiting. |