API Authentication
Authentication and access control for the Cliff Horizon API.
The Cliff Horizon API uses API key authentication with role-based access control.
Authentication
All API requests require an Authorization header:
curl -H "Authorization: Bearer ch_live_xxxxxxxxxxxx" \
https://api.cliffhorizon.com/v1/forecastAPI keys are issued per organisation and can be scoped to specific endpoints and projects.
Key Types
| Key Type | Prefix | Access | Use Case |
|---|---|---|---|
| Live | ch_live_ | Full read/write | Production dashboard, integrations |
| Test | ch_test_ | Read-only, sandbox data | Development, testing |
| Webhook | ch_whk_ | Webhook verification only | Validating webhook signatures |
Rate Limits
| Tier | Requests/minute | Burst |
|---|---|---|
| Standard | 60 | 10 |
| Professional | 300 | 50 |
| Enterprise | Custom | Custom |
Rate limit headers are included in every response:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1712188800
Error Responses
| Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid API key |
403 Forbidden | Key doesn't have access to this endpoint |
429 Too Many Requests | Rate limit exceeded |
{
"error": {
"type": "authentication_error",
"message": "Invalid API key provided",
"code": "invalid_api_key"
}
}Security
- All API traffic is encrypted via TLS 1.3
- API keys should be stored as environment variables, never committed to source control
- Keys can be rotated without downtime via the dashboard settings
- IP allowlisting is available on Enterprise plans
API specifications are preliminary and subject to change during development. This documentation represents the planned API design.