Installer.com Docs

Authentication

How to authenticate with the Installer.com API using bearer tokens

Overview

The Installer.com API uses bearer token authentication.

MethodUse CaseHeader
Bearer TokenServer-to-server integrations, API clientsAuthorization: Bearer <token>

Getting an API Key

Log in to app.installer.com and go to Settings → Integrations in the sidebar.

Add a key

In the API section, click Add key and give it a descriptive name (e.g., "ERP Integration" or "Webhook Server").

Copy the key

Copy the generated key immediately. It will not be shown again, so store it securely in your application's environment variables.

API keys inherit the permissions of the user who created them. Use a dedicated service account with minimum required permissions for production integrations.

Using the Token

Include your token in the Authorization header of every request:

curl -X GET "https://api.installer.com/api/v1/partners/installers" \
  -H "Authorization: Bearer YOUR_API_TOKEN"
const response = await fetch(
  'https://api.installer.com/api/v1/partners/installers',
  {
    headers: {
      Authorization: `Bearer ${apiToken}`,
    },
  }
);

const installers = await response.json();
import requests

response = requests.get(
    "https://api.installer.com/api/v1/partners/installers",
    headers={
        "Authorization": f"Bearer {api_token}",
    },
)

installers = response.json()

Try it directly on the List Installers API reference page.

Error Responses

Authentication failures return standard HTTP error codes:

StatusDescriptionCommon Cause
401 UnauthorizedMissing or invalid tokenToken not included, expired, or revoked
403 ForbiddenInsufficient permissionsToken user lacks required role
{
  "error": "Unauthorized",
  "message": "Invalid or expired token",
  "statusCode": 401
}

Security Best Practices

  • Never commit tokens to source control. Use environment variables.
  • Rotate tokens periodically and after personnel changes.
  • Use minimum permissions. Create tokens from accounts with only the roles needed.
  • Revoke immediately if a token is compromised.
  • Use HTTPS. All API traffic must be over HTTPS in production.
  • Set token expiry. Consider creating short-lived tokens for automated processes.

On this page