Authentication
Every API request requires an API key and tenant ID.
Required Headers
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer YOUR_API_KEY |
X-Tenant-ID | Yes | Your tenant UUID |
Content-Type | Yes | application/json for POST/PUT requests |
Example request:
curl https://api.korastratum.com/api/v1/screenings \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "X-Tenant-ID: YOUR_TENANT_ID" \
-H "Content-Type: application/json"
Getting Your Credentials
- Sign up at app.korastratum.com/signup
- Navigate to Settings → API Keys in the dashboard
- Copy your API Key and Tenant ID
Environments
| Environment | Base URL |
|---|---|
| Production | https://api.korastratum.com/api/v1 |
| Sandbox | https://api.korastratum.com/api/v1 |
info
Both environments use the same base URL. Your API key prefix determines the environment.
The environment is determined by your API key. Production keys access live watchlist data; sandbox keys operate in a test environment.
Response Headers
Every API response includes these headers for debugging and tracking:
| Header | Description |
|---|---|
X-Request-ID | Unique identifier for the request — include this in support tickets |
X-RateLimit-Limit | Maximum requests allowed per minute |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the rate limit resets |
Rate Limits
Rate limits depend on your subscription tier:
| Tier | Requests/min | Description |
|---|---|---|
| Standard | 100 | Default tier |
| Professional | 1,000 | For higher-volume use cases |
| Enterprise | 10,000 | Custom limits available |
When you exceed the rate limit, the API returns a 429 status code:
{
"code": "RATE_LIMITED",
"message": "Rate limit exceeded. Retry after 2025-06-01T12:00:30Z",
"request_id": "req_abc123"
}
See Rate Limits for backoff strategies and best practices.
Security
All API communication uses HTTPS. The API enforces these security headers on every response:
Strict-Transport-Security: max-age=31536000— HSTS enabledX-Content-Type-Options: nosniffX-Frame-Options: DENYCache-Control: no-store— no response caching
warning
Never expose your API key in client-side code. All API calls should originate from your backend server.