Skip to main content
Every Raptor Comply API request requires an X-API-Key header. Learn how to obtain, use, and rotate your API key.
Every request to the Raptor Comply API requires one header: X-API-Key. There are no cookies, no OAuth flows, and no session tokens; the key is the complete authentication model. Each key is bound to a single organization, so the key alone identifies your tenant.
HeaderValueSource
X-API-KeyYour API key, beginning with rc_live_Generated inside Raptor Comply by an Organization Admin

Getting an API key

API keys are issued from the Settings page (https://app.raptorcomply.com/settings) inside Raptor Comply by a user with the Organization Admin role. Each key is scoped to a single organization and grants access to read facilities, control centers, and cyber systems, and to perform full CRUD on cyber assets. If you don’t yet have a key, ask your organization admin to generate one and deliver it to you through your team’s standard secrets-handling process. Raptor Comply does not email keys or display them after initial generation, so treat the moment of creation as your one opportunity to capture it.

Passing the header

Include the X-API-Key header on every request. Here is a complete example that lists your facilities: 
curl https://api.raptormaps.com/facilities \
  -H "X-API-Key: rc_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Replace the rc_live_... value with your actual API key. For real usage, store the key as an environment variable rather than hardcoding it: see the Quickstart for a working example using env vars.

Authentication errors

All authentication failures return a JSON body with error and message fields. The three cases you may encounter are:
The request arrived without an X-API-Key header.
{
  "error": "Unauthorized",
  "message": "Missing X-API-Key header"
}
Fix: Add the X-API-Key header to your request.
The X-API-Key value does not match any active key.
{
  "error": "Unauthorized",
  "message": "Invalid API key"
}
Fix: Verify you’ve copied the key correctly. If you recently rotated keys, confirm you’re using the new one and that the old one hasn’t already been revoked.
The API key was valid but has passed its expiration date.
{
  "error": "Unauthorized",
  "message": "API key has expired"
}
Fix: Ask your Organization Admin to generate a new key. See Key rotation below.

Key rotation

Treat your API key like a password:
  • Rotate on a regular cadence. We recommend at least annually, or more frequently if your security policy requires it.
  • Rotate immediately if a key has been exposed: committed to source control, logged in plaintext, or otherwise leaked.
  • Revocation is explicit. Generating a new key in Raptor Comply does not automatically revoke the old one. Your Organization Admin must explicitly revoke the prior key after the new one is deployed and confirmed working. Until revocation, both keys are valid simultaneously, which gives you a zero-downtime rotation window.
Ready to make your first request? Head to the Quickstart to list your facilities using curl, Node.js, or Python in under five minutes.