API Chain Headers Reference

Partner portal uses the API chain exclusively. Every request to /api/v1/partner/** must include the HMAC authentication headers. The gateway also forwards infrastructure headers injected by Cloudflare and the reverse proxy.

Authentication Headers (Required)

Header	Description
`X-Api-Key`	Your provisioned API key (e.g. `sk_live_abc123`)
`Authorization`	`HMAC-SHA256 <base64-signature>`
`X-Timestamp`	Unix epoch in seconds (±60s of server time)
`X-Nonce`	Unique per-request identifier (UUID recommended)

Standard HTTP Headers

Header	Description
`Content-Type`	`application/json` for request bodies
`Accept`	`application/json`

Gateway Context Headers

These are injected by the gateway or reverse proxy. When calling through the API chain directly, some may be required or forwarded:

Header	Constant	Source
`X-Request-Id`	`REQUEST_ID`	GatewayHeaders
`X-Workspace-Id`	`WORKSPACE_ID`	GatewayHeaders
`X-LOCALE`	`LOCALE`	GatewayHeaders
`X-Forwarded-Proto`	`FORWARDED_PROTO`	GatewayHeaders

Cloudflare Headers

Injected by Cloudflare infrastructure. Not typically set by API callers, but may appear in gateway logs:

Header	Constant	Source
`CF-Connecting-IP`	`CLIENT_IP`	GatewayHeaders
`Cf-Ray`	`CF_RAY`	GatewayHeaders
`cf-ipcountry`	`COUNTRY`	GatewayHeaders
`cf-region`	`REGION`	GatewayHeaders
`cf-ipcity`	`CITY`	GatewayHeaders
`cf-iplatitude`	`LATITUDE`	GatewayHeaders
`cf-iplongitude`	`LONGITUDE`	GatewayHeaders
`cf-postal-code`	`POSTAL_CODE`	GatewayHeaders
`cf-timezone`	`TIMEZONE`	GatewayHeaders
`User-Agent`	`USER_AGENT`	GatewayHeaders
`Accept-Language`	`ACCEPT_LANGUAGE`	GatewayHeaders
`Exposed-Credential-Check`	`EXPOSED_CREDENTIAL_CHECK`	GatewayHeaders

API Chain Headers Reference ​

Authentication Headers (Required) ​

Standard HTTP Headers ​

Gateway Context Headers ​

Cloudflare Headers ​

API Chain Headers Reference

Authentication Headers (Required)

Standard HTTP Headers

Gateway Context Headers

Cloudflare Headers