Skip to main content

Overview

The HirePanda API uses API keys to authenticate requests. API keys are associated with your workspace and can be managed from your dashboard.
API keys are sensitive credentials. Never expose them in client-side code, commit them to version control, or share them publicly.

Getting Your API Key

1

Navigate to Settings

Go to your Dashboard Settings
2

Select API Keys

Click on “API Keys” in the settings menu
3

Generate New Key

Click “Generate New API Key” and provide a descriptive name
4

Copy and Secure

Copy the key immediately - it won’t be shown again

Using Your API Key

Header Authentication

Include your API key in the Authorization header: 
curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://api.hirepanda.com/api/v1/jobs

Example Requests

const response = await fetch('https://api.hirepanda.com/api/v1/jobs', {
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json'
  }
});

API Key Management

Key Permissions

Configure granular permissions for each API key:
  • View jobs
  • List candidates
  • Access analytics
  • Read webhooks

Key Rotation

Best practices for key security:
Rotate API keys every 90 days to minimize exposure risk
# 1. Generate new key
# 2. Update your applications
# 3. Test new key
# 4. Revoke old key
If a key is compromised:
  1. Immediately revoke the compromised key
  2. Generate a new key
  3. Update all applications
  4. Review API logs for unauthorized access

Multiple Keys

Use different keys for different purposes:
Key TypeUse CasePermissions
ProductionLive applicationFull access
DevelopmentLocal developmentLimited access
CI/CDAutomated testingRead only
AnalyticsReporting toolsAnalytics only

Security Best Practices

Environment Variables

Store API keys in environment variables: 
HIREPANDA_API_KEY=your_api_key_here

Secure Storage

Do's

  • Use environment variables
  • Use secret management tools
  • Encrypt keys at rest
  • Limit key permissions

Don'ts

  • Hard-code in source code
  • Commit to version control
  • Share in documentation
  • Use in client-side code

OAuth 2.0 (Coming Soon)

We’re implementing OAuth 2.0 for more secure, user-centric authentication:

Planned Features

  • Authorization code flow
  • Refresh tokens
  • Scope-based permissions
  • Third-party app support
OAuth 2.0 support is planned for Q2 2024. Contact [email protected] for early access.

IP Whitelisting

For additional security, restrict API access by IP:
1

Enable IP Whitelisting

Go to Settings → Security → IP Whitelist
2

Add IP Addresses

Add your server’s static IP addresses
3

Test Access

Verify API access from whitelisted IPs
IP whitelisting is only recommended for server-to-server communication with static IPs.

Error Handling

Authentication Errors

Common authentication error responses: 
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key",
    "status": 401
  }
}

Error Codes

CodeStatusDescription
unauthorized401Missing or invalid API key
forbidden403Valid key but insufficient permissions
rate_limited429Too many requests
key_expired401API key has expired

Monitoring Usage

Track your API key usage in the dashboard:

Available Metrics

  • Request count by endpoint
  • Error rates
  • Response times
  • Geographic distribution
  • Top endpoints

Usage Alerts

Set up alerts for:
  • Approaching rate limits
  • Unusual activity patterns
  • Failed authentication attempts
  • Key expiration reminders

Support

Security Issues

Report security concerns immediately

API Support

Get help with authentication