Authentication

Use HTTP Basic Auth to authenticate with our API. You must send your API key with every request. Put your API key as the basic auth username and leave the password blank:

curl https://api.ashbyhq.com/application.list -u API_KEY: -H "Accept: application/json; version=1" --request POST --header 'Content-Type: application/json'

If your API key is missing, the API will respond with a 401 status code. When the provided key is wrong or deactivated, the API will respond with a 403 status code. All three situations will return a human-readable response specific to the situation.

API Key Endpoint Permissions

Each API key has a set of permissions that determine which endpoints it can read or write. If your API key does not have the necessary permissions to access an endpoint, the API will respond with a 403 status code and an error of missing_endpoint_permission.

Table of Permissions

API permissions are organized by module. You can grant an API key read or write access to each module. The following table lists the endpoints that are covered by read and write permission for each module:

Module	Read Endpoints	Write Endpoints
Jobs	`job.info` `job.list` `job.search` `jobInterviewPlan.info` `jobPosting.info` `jobPosting.list` `opening.info` `opening.list` `opening.search`	`job.create` `job.setStatus` `job.update` `jobPosting.update` `opening.addJob` `opening.create` `opening.removeJob` `opening.setArchived` `opening.setOpeningState` `opening.update`
Candidates	`application.info` `application.list` `applicationFeedback.list` `application.addHiringTeaMember` `application.hiringTeamRoleList` `candidate.info` `candidate.list` `candidate.listNotes` `candidate.search` `file.info` `surveySubmission.list`	`application.changeSource` `application.changeStage` `application.change_source` `application.change_stage` `application.create` `applicationFeedback.submit` `applicationForm.submit` `assessment.addCompletedToCandidate` `assessment.update` `candidate.addTag` `candidate.anonymize` `candidate.create` `candidate.createNote` `candidate.update` `candidate.uploadFile` `candidate.uploadResume` `customField.setValue` `referral.create` `surveyRequest.create`
Interviews	`interview.info` `interview.list` `interviewEvent.list` `interviewPlan.list` `interviewSchedule.list` `interviewStage.info` `interviewStage.list`	`interviewSchedule.cancel` `interviewSchedule.create` `interviewSchedule.update`
Hiring Process Metadata	`archiveReason.list` `candidateTag.list` `customField.list` `feedbackFormDefinition.info` `feedbackFormDefinition.list` `referralForm.info` `source.list` `surveyFormDefinition.info` `surveyFormDefinition.list`	`candidateTag.create` `customField.create`
Organization	`department.info` `department.list` `hiringTeamRole.list` `location.info` `location.list` `user.info` `user.list` `user.search`	`department.create` `hiringTeam.addMember` `location.create`
Offers	`offer.info` `offer.list`	`offer.create` `offer.start` `offerProcess.start`
Api Keys	`apiKey.info`	`webhook.create` `webhook.delete` `webhook.update`
Approvals		`approvalDefinition.update`

Confidential Job Access

By default, API keys cannot access confidential job information. This includes both job data itself as well as candidates and job considerations for confidential jobs. To grant an API key access to confidential job information, you must select the "Allow access to confidential jobs" permission in the Ashby web app.

Managing API Key Permissions

An Ashby Admin can manage permissions for existing API keys in the Ashby web app:

Editing API Key Permissions

Permissions for Merge Integrations

If you access Ashby data using the Merge ATS API, you will need to grant your API key the necessary permissions for Merge to access the data you need. You can find a mapping between Merge Common Models and the Ashby endpoints they use in the Merge documentation for Ashby here.