Authentication
How to authenticate with the Installer.com API using bearer tokens
Overview
The Installer.com API uses bearer token authentication.
| Method | Use Case | Header |
|---|---|---|
| Bearer Token | Server-to-server integrations, API clients | Authorization: Bearer <token> |
Getting an API Key
Navigate to Integrations
Log in to app.installer.com and go to Settings → Integrations in the sidebar.
Add a key
In the API section, click Add key and give it a descriptive name (e.g., "ERP Integration" or "Webhook Server").
Copy the key
Copy the generated key immediately. It will not be shown again, so store it securely in your application's environment variables.
API keys inherit the permissions of the user who created them. Use a dedicated service account with minimum required permissions for production integrations.
Using the Token
Include your token in the Authorization header of every request:
curl -X GET "https://api.installer.com/api/v1/partners/installers" \
-H "Authorization: Bearer YOUR_API_TOKEN"const response = await fetch(
'https://api.installer.com/api/v1/partners/installers',
{
headers: {
Authorization: `Bearer ${apiToken}`,
},
}
);
const installers = await response.json();import requests
response = requests.get(
"https://api.installer.com/api/v1/partners/installers",
headers={
"Authorization": f"Bearer {api_token}",
},
)
installers = response.json()Try it directly on the List Installers API reference page.
Error Responses
Authentication failures return standard HTTP error codes:
| Status | Description | Common Cause |
|---|---|---|
401 Unauthorized | Missing or invalid token | Token not included, expired, or revoked |
403 Forbidden | Insufficient permissions | Token user lacks required role |
{
"error": "Unauthorized",
"message": "Invalid or expired token",
"statusCode": 401
}Security Best Practices
- Never commit tokens to source control. Use environment variables.
- Rotate tokens periodically and after personnel changes.
- Use minimum permissions. Create tokens from accounts with only the roles needed.
- Revoke immediately if a token is compromised.
- Use HTTPS. All API traffic must be over HTTPS in production.
- Set token expiry. Consider creating short-lived tokens for automated processes.