API Authentication

Authenticate with the AchieveApex API using an API Key sent via the x-api-key header.

API Base URL

All examples in this documentation use https://api.achieveapex.com as the base URL.

Creating an API Key

Navigate to Settings → Developers → API Keys in your AchieveApex dashboard to create and manage API keys. Each key is scoped to a single organization and associated with a specific user.

Important

API Keys provide full access to all resources within the organization. Treat them like passwords — never expose them in client-side code or public repositories.

Using an API Key

Include your API key in the x-api-key header of every request. No separate login step is needed.

Standard Headers

Content-Type: application/json
x-api-key: YOUR_API_KEY

Example — List Contacts

curl -X GET https://api.achieveapex.com/contacts \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json"

Example — Create a Contact

curl -X POST https://api.achieveapex.com/contacts \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "first_name": "Jane",
    "last_name": "Doe",
    "email": "jane@example.com",
    "organization_id": 101
  }'

Rate Limiting

API Key requests are rate-limited per organization using a sliding window algorithm.

Limit	Default
Max requests per window	1,000
Window duration	3,600 seconds (1 hour)

When the limit is exceeded, the API returns 429 Too Many Requests with a retryAfter value in the response body indicating how many seconds to wait.

429 — Rate Limit Exceeded

{
  "name": "TooManyRequests",
  "message": "Rate limit exceeded",
  "code": 429,
  "data": {
    "limit": 1000,
    "current": 1001,
    "window": 3600,
    "retryAfter": 542
  }
}

Permissions

Each API Key is scoped to a single organization. All requests are automatically filtered to only access resources within that organization. The key has full access to all organization resources (contacts, deals, conversations, support tickets, etc.).

Error Handling

401 — Invalid API Key

{
  "name": "NotAuthenticated",
  "message": "Invalid API key",
  "code": 401,
  "className": "not-authenticated"
}

403 — Insufficient Permissions

{
  "name": "Forbidden",
  "message": "Access denied: You do not have permission to view contacts. Please contact your organization administrator.",
  "code": 403,
  "className": "forbidden"
}

Common HTTP Status Codes

Status Code	Description
200 OK	Successful request
201 Created	Resource successfully created
400 Bad Request	Invalid request format or parameters
401 Unauthorized	Invalid or missing API key
403 Forbidden	Authenticated but insufficient permissions for the requested resource
404 Not Found	Resource not found or not accessible in your organization
429 Too Many Requests	Rate limit exceeded — wait and retry

Security Best Practices

Always use HTTPS to prevent API key interception.
Never expose API keys in client-side code, mobile apps, or public repositories.
Store API keys securely (e.g., environment variables, secret managers).
Rotate API keys periodically — you can deactivate old keys and create new ones in Settings → Developers → API Keys.

Report an issue with this documentation

Please log in to report issues with our documentation.