Batchrouter
Start free
Authentication

API keys & sessions

All API calls authenticate with a bearer token. Webhooks are signed so you can verify delivery.

Create an API keyWebhook reference
Token

Bearer

bk_live_… on every request

Webhooks

HMAC

SHA-256 of raw body

Rotation

Anytime

old keys keep working

Bearer tokens

Authorization · header

Create API keys from Account → API keys in the dashboard. Send the key as a bearer token on every request.

curl
Authorization: Bearer bk_live_...

Key scopes

workspace

Keys are workspace-scoped. Quote, submit, read, and cancel permissions can be enabled independently per key. Rotate keys at any time — old keys keep working until you revoke them.

quote
submit
read
cancel

Webhook signatures

X-Batchrouter-Signature

Webhook deliveries include an X-Batchrouter-Signature header containing an HMAC-SHA256 of the raw request body using your webhook secret. Always verify before processing.

verify.ts
const expected = createHmac("sha256", process.env.WEBHOOK_SECRET)
  .update(rawBody)
  .digest("hex");

if (!timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
  return new Response("Invalid signature", { status: 401 });
}

Ready to mint a key?

Sign in, head to Account → API keys, and copy your first bk_live_….

← Back to docsStart free