Skip to main content
All API endpoints require authentication unless explicitly marked as public.

API Key Authentication

Include your API key in the X-API-Key header: 
curl -H "X-API-Key: csb_AbCdEfGhIjKlMnOpQrStUvWxYzAbCdEf_1a2b3c4d" \
  https://www.closient.com/products/api/v1/products

Key Format

<prefix>_<body>_<checksum>
ComponentDescription
prefixKey type identifier (csb, csu, or cpk)
body32 random alphanumeric characters
checksum8-character lowercase hex CRC-32 digest of the body
The checksum enables client-side format validation before making a request: 
import zlib

def verify_api_key(api_key: str) -> bool:
    parts = api_key.split("_")
    if len(parts) != 3:
        return False
    prefix, body, checksum = parts
    if prefix not in ("csb", "csu", "cpk"):
        return False
    expected = format(zlib.crc32(body.encode("utf-8")) & 0xFFFFFFFF, "08x")
    return checksum == expected

Key Types

PrefixNameScopeUse Case
csbBusinessOrganizationServer-side API access with full permissions
csuUserUserUser-scoped access, respects the user’s org memberships
cpkPublishableOrganizationClient-side widgets and embeds — safe to expose in frontend code
Publishable keys (cpk) have additional controls:
  • Per-key rate limits (rate_limit_per_minute, rate_limit_per_day)
  • Optional expiration (expires_at)
  • Scoped to a single organization (returns org context, not user context)

Key Lifecycle

Keys are shown once at creation time. The raw key is never stored — only its SHA-256 hash.
FieldDescription
is_activeSet to false to immediately revoke
expires_atOptional expiration datetime (rejected after expiry)
last_usedUpdated on each authenticated request
rate_limit_per_minutePer-key override (0 = use global default)
rate_limit_per_dayPer-key override (0 = use global default)

Organization Roles (RBAC)

Users belong to organizations through memberships, each with a role:
RoleManage OrgBillingMembersOffersAPI Keys
OwnerYesYesYesYesYes
ManagerNoYesYesYesYes
BillingNoYesNoNoNo
EditorNoNoNoYesNo
Roles are evaluated per-organization. A user can be an Owner of one organization and an Editor of another.

Permission Reference

PermissionRequired Role
organization.view_organizationAny member
organization.contribute_organizationOwner, Manager, or Editor
organization.manage_billingOwner, Manager, or Billing
organization.manage_api_keysOwner or Manager
organization.manage_membersOwner or Manager
organization.delete_organizationOwner only

Session Authentication

Browser-based access (Dashboard, admin) uses Django session cookies. This is automatic when logged in and is primarily for internal use. API integrations should always use API key authentication.

Security Best Practices

  • Never expose csb or csu keys in client-side code — use cpk publishable keys instead
  • Store keys in environment variables, not in source code
  • Rotate keys periodically and revoke unused ones
  • Use per-key rate limits on publishable keys to prevent abuse
  • Set expiration dates on keys used for temporary integrations