The Partner API uses API key authentication. Keys are scoped to a specific organization and
must be explicitly provisioned as partner-type keys — internal platform keys are rejected
on partner routes.
Getting a partner API key
Partner API keys are provisioned by your TruEnroll account manager. To request one, provide:
- Your organization name and registered email address
- The intended use case (the service or product that will use the key)
- The environments you need keys for (staging, production)
Sending the key
Include your partner API key in every request using either header:
Both headers are accepted. x-api-key is recommended for clarity — it’s immediately obvious
this is an API key and not a JWT token.
Error responses
| Code | Meaning |
|---|
401 Unauthorized | No API key provided, or the key is malformed |
403 Forbidden | Key is valid but is not a partner-type key (e.g., it’s an internal key), or the key is inactive |
{
"statusCode": 401,
"message": "No valid API key provided"
}
Key security
Treat your partner API key like a password. It authenticates requests as your organization
and carries all of your organization’s provisioned features.
- Never commit keys to version control. Use environment variables or a secrets manager.
- Use separate keys per environment. Don’t use a production key in your staging or
development environment.
- Rotate keys if compromised. Contact your TruEnroll account manager to revoke a
key and issue a replacement immediately.
Multiple keys
An organization can have multiple partner API keys — useful for separating services,
environments, or teams. Each key is independent; revoking one does not affect the others.
Webhook endpoint authentication
Webhooks sent by TruEnroll don’t require your partner key — instead, you should verify
the incoming request on your end. See Webhooks for the recommended
verification approach. 
