Skip to main content

Environments and Authentication

This section explains the available environments in Auco and how to authenticate securely when consuming the API.

API Versioning

All requests must include the current API version in the base URL. We currently use version v1.5, with the /ext suffix indicating endpoints intended for external integrations.

Available Environments

Auco provides two separate environments:

🔧 Testing Environment (stage)

  • Base URL: https://dev.auco.ai/v1.5/ext
  • Intended for integrations, testing, and development.
  • No real charges or document movements are generated.
  • You can request access by creating an account at stage.auco.ai.

🚀 Production Environment

  • Base URL: https://api.auco.ai/v1.5/ext
  • This environment runs real document workflows and counts signed or delivered documents.
  • Requires an active credit package and a properly configured production account.

Authentication

Auco’s API uses two types of authentication keys: public and private. These keys must be included in the request headers depending on the operation type:

  • Read (GET): use the public key (puk_...)
  • Write (POST, PUT, DELETE): use the private key (prk_...)

🔑 Required Header

Authorization: YOUR_PUBLIC_OR_PRIVATE_KEY

📘 curl Example for Read (GET)

curl -X GET https://dev.auco.ai/v1.5/ext/documents \
  -H "Authorization: puk_ocG0ODMlBlAN4NOi4GxVJjmC7Examaple" \
  -H "Content-Type: application/json"

📘 curl Example for Write (POST)

curl -X POST https://dev.auco.ai/v1.5/ext/documents \
  -H "Authorization: prk_ocG0ODMlBlAN4NOi4GxVJjmC7Examaple" \
  -H "Content-Type: application/json" \
  -d '{ "name": "document.pdf" }'

Note: Keep your private keys secure. Never share them publicly or include them in public-facing clients like browsers.

Recommendations

  • Use the stage environment for all initial testing before switching to production.
  • Make sure to use the public key for GET and the private key for POST, PUT, and DELETE.
  • Update both the base URL and the keys when moving to production.
  • Protect your private keys: never share them publicly or include them in public clients such as browsers or mobile apps.
  • If you automate processes, consider implementing periodic key rotation.

Common Error Code

  • 401 Unauthorized: A valid key was not included in the Authorization header, or the wrong type of key was used for the operation (read/write).