Authentication
Last updated: 2026-03-07
Getting Your API Key#
To use the Altrixy API, you need an API key:
- Go to Settings > API
- Click Generate API Key
- Give the key a descriptive name (e.g., "CI/CD Pipeline" or "Portfolio Automation")
- Copy the key immediately — it will not be shown again
You can generate up to 5 API keys on the free plan and 25 on paid plans. Each key can be independently revoked.
Treat API keys like passwords. Never commit them to version control, share them in chat, or embed them in client-side code.
# Store your API key as an environment variable
export ALTRIXY_API_KEY="altx_sk_your_key_here"Authentication Methods#
The Altrixy API supports two authentication methods:
1. API Key (recommended for server-to-server)
Include your API key in the X-API-Key header:
curl -H "X-API-Key: altx_sk_your_key_here" \
https://api.altrixy.com/v1/portfolios2. JWT Bearer Token (recommended for user-facing apps)
First, exchange your credentials for a JWT:
curl -X POST https://api.altrixy.com/v1/auth/token \
-H "Content-Type: application/json" \
-d '{
"email": "you@example.com",
"password": "your_password"
}'Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"refresh_token": "altx_rt_abc123...",
"expires_in": 3600,
"token_type": "Bearer"
}Then use the token in the Authorization header:
curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
https://api.altrixy.com/v1/portfoliosToken Refresh Flow#
JWT access tokens expire after 1 hour. Use the refresh token to get a new access token without re-authenticating:
curl -X POST https://api.altrixy.com/v1/auth/refresh \
-H "Content-Type: application/json" \
-d '{
"refresh_token": "altx_rt_abc123..."
}'Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIs...(new)",
"refresh_token": "altx_rt_def456...(new)",
"expires_in": 3600,
"token_type": "Bearer"
}Each refresh token can only be used once. The response includes a new refresh token — store it for the next refresh cycle. Refresh tokens expire after 30 days of inactivity.
Rate Limits#
API rate limits vary by plan:
| Plan | Requests/minute | Requests/day | Burst limit |
|---|---|---|---|
| Free | 30 | 1,000 | 10 req/sec |
| Pro | 120 | 10,000 | 30 req/sec |
| Team | 300 | 50,000 | 60 req/sec |
| Enterprise | Custom | Custom | Custom |
Rate limit headers are included in every response:
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 118
X-RateLimit-Reset: 1679529600When you exceed the rate limit, you receive a 429 Too Many Requests response:
{
"error": "rate_limit_exceeded",
"message": "Rate limit exceeded. Try again in 45 seconds.",
"retry_after": 45
}Error Handling#
The API uses standard HTTP status codes and returns structured error responses:
{
"error": "error_code",
"message": "Human-readable description",
"details": {}
}Common error codes:
| Status | Code | Description |
|---|---|---|
| 400 | invalid_request | Malformed request body or missing required fields |
| 401 | unauthorized | Missing or invalid authentication credentials |
| 403 | forbidden | Valid credentials but insufficient permissions |
| 404 | not_found | The requested resource does not exist |
| 409 | conflict | Resource already exists (e.g., duplicate slug) |
| 422 | validation_error | Request body validation failed. details contains field-specific errors |
| 429 | rate_limit_exceeded | Too many requests. Check retry_after field |
| 500 | internal_error | Unexpected server error. Contact support if persistent |
Always check the `error` code programmatically rather than parsing the `message` string, which may change without notice.