Appearance
Authentication
Every request to the API must include a valid API key. Keys are partner-scoped: a key can only read the products that belong to the partner account it was issued for.
API keys
Keys are issued by a partner admin in the TDC portal under Settings → API Keys. A key looks like this:
dk_live_3f9a1c7e5b2d8f04a6c1e9b7d2f5a8c30e4b6d1f- The
dk_live_prefix identifies it as a live Desire Company key. - The key is shown once, at creation. TDC stores only a hash of it and can never display it again — if you lose it, revoke it and create a new one.
- A key carries read access to your partner catalog.
Sending your key
Provide the key in either of these request headers. If both are present, Authorization takes precedence.
bash
curl https://api.prod.thedesirecompany.com/api/v1/public/products/123 \
-H "Authorization: Bearer dk_live_your_key_here"bash
curl https://api.prod.thedesirecompany.com/api/v1/public/products/123 \
-H "X-API-Key: dk_live_your_key_here"Partner scoping
Your key is tied to your partner account. Every lookup is automatically constrained to your catalog:
GET /sku/:skumatches your SKU within your account.GET /products/:idreturns the product only if it is associated with your account.
A product that exists in TDC but isn't part of your catalog returns 404 — never another partner's data.
Rate limits
Each key is limited to 100 requests per minute. Responses carry standard rate-limit headers:
| Header | Meaning |
|---|---|
RateLimit-Limit | Requests allowed in the window (100) |
RateLimit-Remaining | Requests remaining in the current window |
RateLimit-Reset | Seconds until the window resets |
Exceeding the limit returns 429 rate_limit_exceeded with a Retry-After header:
json
{
"error": "rate_limit_exceeded",
"message": "Too many requests. Try again in 42 seconds."
}Back off for the indicated number of seconds before retrying.
Errors
| Status | error | When |
|---|---|---|
401 | missing_api_key | No key in either header |
401 | invalid_api_key | The key is unknown or has been revoked |
429 | rate_limit_exceeded | More than 100 requests in a minute |
See Errors for the complete reference.
Security
- Server-side only. Call the API from your backend. Never ship a key in browser JavaScript, a mobile app, or any client the public can inspect.
- Store keys as secrets. Keep them in environment variables or a secret manager — never commit them to source control.
- Rotate on exposure. If a key may have leaked, revoke it in Settings → API Keys and issue a new one. Revocation takes effect immediately.
- Use separate keys per environment or integration so you can revoke one without disrupting the others.

