Authentication in the CapData API

All requests to the CapData APIs must be authenticated. We use a token-based system with HTTP headers to ensure that only authorized users can access the resources.

How to Get Your Main API Key

Your main API Key is the fundamental credential for interacting with the services. Each account (Owner or independent Agency) has a unique API Key.

Log in to your CapData Portal.
On the main dashboard, you will see a section called "Your Main API Key".
Copy this key. This is the value you should use in the X-API-Key or X-CapData-Token header, depending on the endpoint.

Important! Treat your API Key like a password. Do not share it publicly or include it directly in client-side (frontend) code.

Token and Header Types

Depending on the endpoint and the actor performing the action, you will need to use a specific authentication header.

`X-API-Key` (General API)

Used by the General API (/api/extract, /api/update_reservation). The value can be the API Key of an Owner or an Agency.

Header Example

X-API-Key: your_owner_or_agency_api_key

`X-Employee-Token` (General API for Agents)

Used by the General API when the action is performed by an Agent. This token is created in the portal, in the "Manage My Agents" section.

Header Example

X-Employee-Token: the_specific_agent_token

`X-Owner-API-Key` (Management API)

Used exclusively by the Management API (/api/management/*). The value MUST be the API Key of a client with the Owner role.

Header Example

X-Owner-API-Key: your_owner_api_key

`X-CapData-Token` (Modern APIs)

This is the unified and recommended header for the newest APIs, such as the Chat API and the Transcription API. The value can be the API Key of an Owner, an Agency, or an Agent's token. The system will automatically identify the actor type.

Header Example

X-CapData-Token: your_api_key_or_agent_token

SSO / Single Sign-On via Link

In addition to authentication headers, CapData offers SSO via link to open the portal already authenticated from your own systems (deep-linking). See the full guide on the SSO page.

When to use SSO: Ideal for linking from your backoffice to the CapData Portal without asking for credentials again (e.g., "Open CapData" or "Go to agent panel").

SSO Endpoints (read-only, see guide)

GET /auth/apikey-login?key=<CLIENT_OR_AGENCY_API_KEY>
GET /auth/agent-apikey-login?key=<AGENT_TOKEN>

SSO Link Example (Client/Agency)

https://capdata.es/auth/apikey-login?key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Best practices for using SSO links

Always use HTTPS and avoid sharing SSO links in emails or public chats.
Do not expose keys on the frontend: if you need a "click-to-login" link, generate a secure redirect on your server that internally resolves the API Key (do not put it in the public URL).
Rotation and revocation: periodically rotate API Keys and revoke any compromised key.
Usage restriction: limit who/from where can invoke these links (IP allowlist, firewalls, etc.).
Expiration and nonce (optional): if you implement your own wrapper, add an expiration and a unique identifier per link to mitigate unwanted reuse.

Recommendation: for server-to-server integrations or calls from third-party web applications, use X-CapData-Token or the specific headers for each API. Reserve SSO via link for user navigation to the portal.

Authentication in the CapData API

How to Get Your Main API Key

Token and Header Types

X-API-Key (General API)

X-Employee-Token (General API for Agents)

X-Owner-API-Key (Management API)

X-CapData-Token (Modern APIs)

SSO / Single Sign-On via Link

SSO Endpoints (read-only, see guide)

Best practices for using SSO links

`X-API-Key` (General API)

`X-Employee-Token` (General API for Agents)

`X-Owner-API-Key` (Management API)

`X-CapData-Token` (Modern APIs)