Authentication
The Ingest API authenticates each request with a bearer token scoped to a datasource. Product API tokens with the right scopes also work.
Every request to the Ingest API carries a bearer token in the Authorization header. Two flavours of token are accepted:
- Datasource token — issued per datasource from the dashboard. Can only read and write that datasource. The right choice for CRM, e-commerce or product-event integrations that should not see anything else.
- Product API token — a broader token that also works here as long as it carries the Ingest scopes. Convenient when a single backend drives both APIs.
Scope defaults to the datasource that minted the token; there is no way to widen it at request time.
Getting a datasource token
Open the datasource
In the dashboard, open the project and navigate to Datasources → pick the API datasource you want to write to, or create a new one with type API.
Issue the token
Under Credentials, click Generate token. Copy the value straight away — it is shown once.
Note the URL parts
The datasource page also shows the
projectanddatasourceidentifiers that go in the URL:https://api.instasent.com/v1/project/{project}/datasource/{datasource}/stream/...
Sending the token
curl "https://api.instasent.com/v1/project/$PROJECT/datasource/$DATASOURCE/stream" \
-H "Authorization: Bearer $INSTASENT_TOKEN"A missing, malformed or revoked token returns 401 Unauthorized. Mismatched project/datasource ids return 404 Not Found.
Rotating a token
Tokens do not expire. Rotate them whenever a teammate leaves, whenever a secret might have been exposed, and at least once a year as a hygiene measure.
Issue the replacement
Create a new token in the dashboard before revoking the old one. This keeps traffic flowing while you redeploy.
Roll it out
Update your secrets store and redeploy the workers that call the API.
Revoke the old token
Once the replacement is live everywhere, delete the old token in the dashboard. Any request still using it will fail with
401.
What's next
- Rate limits — per-endpoint ceilings and the
X-RateLimit-*headers. - Errors — status codes and partial-success shape.