Authentication
All requests to the IB Partner API must include a valid API key.
Bearer token
Pass your API key in the Authorization header of every request:
Authorization: Bearer YOUR_API_KEY
Example
GET /api/ib/user-status?user_id=a1b2c3d4-0000-0000-0000-000000000000
Authorization: Bearer ibs_live_a1b2c3d4e5f6...
info
API keys are issued only to Partner accounts. Contact your IB account manager to obtain one.
Security guidelines
- Never expose your key in client-side code — browsers, mobile apps, or public repositories.
- Rotate your key immediately if you suspect it has been leaked.
- All API requests must be made over HTTPS. Plain HTTP requests will be rejected.
API key rules
- Each Partner account can have only one active API key at a time. Generating a new key immediately revokes the previous one.
- API keys expire after 3 months. You must generate a new key before expiry to avoid service interruption.
- When a key expires, all requests will return
401 Unauthorizeduntil a new key is issued.
Errors
| Scenario | Response |
|---|---|
Missing Authorization header | 401 Unauthorized |
| Invalid or revoked API key | 401 Unauthorized |
| API key expired | 401 Unauthorized |
| Key belongs to a non-Partner account | 401 Unauthorized |
See the Error Codes reference for full response bodies.