PULLFIRST[THE RECORD]

Authentication

API keys via the Authorization header.

Authenticate with an API key passed in the Authorization header using the Bearer scheme. Keys are 72 characters total: the sk_live_ prefix followed by 64 hex characters. HTTPS is required; plaintext requests are redirected.

Sending the key

curl "https://api.pullfirst.com/v1/licenses/search?q=Roofing" \
  -H "Authorization: Bearer sk_live_..."

The header value is the literal string Bearer, a single space, and the full key.

Key management

Keys are created, listed, and revoked from the dashboard. The full value is displayed exactly once at creation. The stored record keeps a SHA-256 hash of the full key plus a 12-character prefix (sk_live_ plus four hex characters) used to identify the key in the dashboard. If the full key is lost, rotate: create a new one, deploy it, then revoke the old one.

Tier caps on active keys

Each account can hold a limited number of active keys simultaneously:

TierMax active keys
Sandbox1
Builder3
Production10
EnterpriseUnlimited

Revocation

Revoked keys return 401 unauthorized. Validation is cached for up to 60 seconds per node, so a just-revoked key may continue to work briefly before the cache expires.

Public endpoints

A small set of endpoints does not require a key:

  • /v1/billing/plans — plan listings
  • /v1/coverage — coverage summary
  • /v1/permit-downloads/* — permit-download editions, samples, and purchase flow
  • /v1/sitemap/* — sitemap data for crawlers
  • /v1/licenses/suggest — license-name autocomplete
  • /v1/permits/address-suggest — address autocomplete
  • /v1/match-disputes — data-quality dispute submission

Every other endpoint requires a valid key.

Quickstart

Sign in, create a key, make a request.

Rate limits

Per-minute and monthly quotas per API key.

On this page

Sending the keyKey managementTier caps on active keysRevocationPublic endpoints