Skip to content

Authentication

Every request to the API must include a valid API key. Keys are partner-scoped: a key can only read the products that belong to the partner account it was issued for.

API keys

Keys are issued by a partner admin in the TDC portal under Settings → API Keys. A key looks like this:

dk_live_3f9a1c7e5b2d8f04a6c1e9b7d2f5a8c30e4b6d1f
  • The dk_live_ prefix identifies it as a live Desire Company key.
  • The key is shown once, at creation. TDC stores only a hash of it and can never display it again — if you lose it, revoke it and create a new one.
  • A key carries read access to your partner catalog.

Sending your key

Provide the key in either of these request headers. If both are present, Authorization takes precedence.

bash
curl https://api.prod.thedesirecompany.com/api/v1/public/products/123 \
  -H "Authorization: Bearer dk_live_your_key_here"
bash
curl https://api.prod.thedesirecompany.com/api/v1/public/products/123 \
  -H "X-API-Key: dk_live_your_key_here"

Partner scoping

Your key is tied to your partner account. Every lookup is automatically constrained to your catalog:

  • GET /sku/:sku matches your SKU within your account.
  • GET /products/:id returns the product only if it is associated with your account.

A product that exists in TDC but isn't part of your catalog returns 404 — never another partner's data.

Rate limits

Each key is limited to 100 requests per minute. Responses carry standard rate-limit headers:

HeaderMeaning
RateLimit-LimitRequests allowed in the window (100)
RateLimit-RemainingRequests remaining in the current window
RateLimit-ResetSeconds until the window resets

Exceeding the limit returns 429 rate_limit_exceeded with a Retry-After header:

json
{
  "error": "rate_limit_exceeded",
  "message": "Too many requests. Try again in 42 seconds."
}

Back off for the indicated number of seconds before retrying.

Errors

StatuserrorWhen
401missing_api_keyNo key in either header
401invalid_api_keyThe key is unknown or has been revoked
429rate_limit_exceededMore than 100 requests in a minute

See Errors for the complete reference.

Security

  • Server-side only. Call the API from your backend. Never ship a key in browser JavaScript, a mobile app, or any client the public can inspect.
  • Store keys as secrets. Keep them in environment variables or a secret manager — never commit them to source control.
  • Rotate on exposure. If a key may have leaked, revoke it in Settings → API Keys and issue a new one. Revocation takes effect immediately.
  • Use separate keys per environment or integration so you can revoke one without disrupting the others.

The Desire Company — Enterprise API