Authentication
How to create an Ingest API source key, authenticate requests, use Test Mode, and rotate keys for the Ours Privacy Ingest API.
Authentication
The Ours Privacy Ingest API authenticates each request with a source API key. Unlike the Platform API, the key is sent as a token field in the request body — not in an Authorization header.
{
"event": "Purchase",
"userId": "user123",
"token": "YOUR_API_KEY"
}Creating an API Key
The Ingest API key is issued when you add an Ingest API source to your account.
- Go to Sources → Add Source in your Ours Privacy dashboard
- Select the Ingest API source
- Copy the API key — you'll also get example
curlcommands for the/trackand/identifyendpoints
Important: Treat your API key like a password. Store it in a secrets manager, environment variable, or encrypted configuration — never commit it to source control.
Identifying the Visitor
Authentication associates a request with your account; you still need to tell the API which visitor an event belongs to. Include at least one of these identifiers in every request:
userId— the Ours Privacy Visitor ID stored on your web propertiesexternalId— your own identifier for grouping a visitor across systemsemail— an email address to associate with the visitor
Use the same identifier across your web and server implementations so events resolve to one visitor.
Test Mode
Each account also has a Test Mode API key for validating an integration without dispatching events to your destinations.
- Open the Install page in your dashboard and copy the Test Mode API Key
- Send requests with the Test Mode key in place of your live key
Events sent with the Test Mode key are processed and stored in Recent Events with a distinct Test tag, but are never forwarded to configured destinations. Swap in your live key when you're ready to dispatch.
Error Handling
| Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid API key |
400 Bad Request | Missing required fields or malformed JSON |
Rotating a Key
Rotate keys by standing up a fresh source and migrating to it, so no events are lost in the transition:
- Create a new source — go to Sources → Add Source and add another Ingest API source to generate a new key while the existing one stays active.
- Update your integration — point your backend at the new key.
- Monitor event flow — confirm events arrive under the new source in Recent Events and the volume matches expectations.
- Retire the old source — once everything flows through the new key, deactivate and delete the old source.
Next Steps
- Quickstart — make your first API call.
- Ingest API Overview — endpoints and key concepts.
How is this guide?