Use HTTP Basic Auth to authenticate with our API. You must send your API key with every request. Put your API key as the basic auth username and leave the password blank:

curl -u API_KEY: -H "Accept: application/json; version=1" --request POST --header 'Content-Type: application/json'

If your API key is missing, the API will respond with a 401 status code. When the provided key is wrong or deactivated, the API will respond with a 403 status code. All three situations will return a human-readable response specific to the situation.

API Key Endpoint Permissions

Each API key has a set of permissions that determine which endpoints it can read or write. If your API key does not have the necessary permissions to access an endpoint, the API will respond with a 403 status code and an error of missing_endpoint_permission.

Table of Permissions

API permissions are organized by module. You can grant an API key read or write access to each module. The following table lists the endpoints that are covered by read and write permission for each module:

ModuleRead EndpointsWrite Endpoints
Hiring Process Metadata
Api Keys

Confidential Job and Project Access

By default, API keys cannot access confidential job and project information. This includes job/project data, job considerations, and candidates for confidential jobs and projects. To grant an API key access to confidential job and project information, you must select the "Allow access to confidential jobs and projects?" permission in the Ashby web app.

Managing API Key Permissions

An Ashby Admin can manage permissions for existing API keys in the Ashby web app:

Editing API Key Permissions

Permissions for Merge Integrations

If you access Ashby data using the Merge ATS API, you will need to grant your API key the necessary permissions for Merge to access the data you need. You can find a mapping between Merge Common Models and the Ashby endpoints they use in the Merge documentation for Ashby here.