Documentation Index
Fetch the complete documentation index at: https://docs.closient.com/llms.txt
Use this file to discover all available pages before exploring further.
All API endpoints require authentication unless explicitly marked as public.
API Key Authentication
Include your API key in the X-API-Key header:
curl -H "X-API-Key: csb_AbCdEfGhIjKlMnOpQrStUvWxYzAbCdEf_1a2b3c4d" \
https://www.closient.com/products/api/v1/products
<prefix>_<body>_<checksum>
| Component | Description |
|---|
prefix | Key type identifier (csb, csu, or cpk) |
body | 32 random alphanumeric characters |
checksum | 8-character lowercase hex CRC-32 digest of the body |
import zlib
def verify_api_key(api_key: str) -> bool:
parts = api_key.split("_")
if len(parts) != 3:
return False
prefix, body, checksum = parts
if prefix not in ("csb", "csu", "cpk"):
return False
expected = format(zlib.crc32(body.encode("utf-8")) & 0xFFFFFFFF, "08x")
return checksum == expected
Key Types
| Prefix | Name | Scope | Use Case |
|---|
csb | Business | Organization | Server-side API access with full permissions |
csu | User | User | User-scoped access, respects the user’s org memberships |
cpk | Publishable | Organization | Client-side widgets and embeds — safe to expose in frontend code |
cpk) have additional controls:
- Per-key rate limits (
rate_limit_per_minute, rate_limit_per_day)
- Optional expiration (
expires_at)
- Scoped to a single organization (returns org context, not user context)
Key Lifecycle
Keys are shown once at creation time. The raw key is never stored — only its SHA-256 hash.
| Field | Description |
|---|
is_active | Set to false to immediately revoke |
expires_at | Optional expiration datetime (rejected after expiry) |
last_used | Updated on each authenticated request |
rate_limit_per_minute | Per-key override (0 = use global default) |
rate_limit_per_day | Per-key override (0 = use global default) |
Organization Roles (RBAC)
Users belong to organizations through memberships, each with a role:
| Role | Manage Org | Billing | Members | Offers | API Keys |
|---|
| Owner | Yes | Yes | Yes | Yes | Yes |
| Manager | No | Yes | Yes | Yes | Yes |
| Billing | No | Yes | No | No | No |
| Editor | No | No | No | Yes | No |
Permission Reference
| Permission | Required Role |
|---|
organization.view_organization | Any member |
organization.contribute_organization | Owner, Manager, or Editor |
organization.manage_billing | Owner, Manager, or Billing |
organization.manage_api_keys | Owner or Manager |
organization.manage_members | Owner or Manager |
organization.delete_organization | Owner only |
Session Authentication
Browser-based access (Dashboard, admin) uses Django session cookies. This is automatic when logged in and is primarily for internal use. API integrations should always use API key authentication.
Security Best Practices
- Never expose
csb or csu keys in client-side code — use cpk publishable keys instead
- Store keys in environment variables, not in source code
- Rotate keys periodically and revoke unused ones
- Use per-key rate limits on publishable keys to prevent abuse
- Set expiration dates on keys used for temporary integrations
