Authentication
AtlasCore uses bearer token authentication on all API endpoints.
Key format
| Prefix | Environment | Purpose |
|---|---|---|
ac_test_ | Sandbox | Development and testing. No billing. |
ac_live_ | Production | Live data with billing active. |
Making requests
Include your API key in the Authorization header:
curl -H "Authorization: Bearer ac_test_your_key_here" \
https://api.atlascore.com.au/v1/datasets
Pack-scoped requests
Most tenant-facing endpoints require a pack_id parameter. This scopes the request to datasets bound to your entitled pack:
curl -H "Authorization: Bearer ac_test_your_key_here" \
"https://api.atlascore.com.au/v1/emission-factors/scope2?grid=NSW1&pack_id=au_climate_disclosure"
Admin requests
Admin endpoints use a separate key and support tenant-scoped operations via the X-AtlasCore-On-Behalf-Of-Tenant-Id header:
curl -H "Authorization: Bearer admin_key_here" \
-H "X-AtlasCore-On-Behalf-Of-Tenant-Id: tenant_abc" \
https://api.atlascore.com.au/v1/admin/datasets
Auth behaviour
| Environment | Default AUTH_REQUIRED |
|---|---|
dev, test, local | false |
| All others | true |
When auth is disabled (local development), the API accepts any bearer token and assigns a default tenant context.
Error responses
| Status | Meaning |
|---|---|
401 | Missing or invalid bearer token |
403 | Valid token but insufficient entitlement for the requested pack |
429 | Rate limit or quota exceeded |
Token rotation
To rotate an API key:
- Generate a new key through the AtlasCore dashboard
- Update your application to use the new key
- Revoke the old key once traffic has migrated
Both keys remain valid during the transition window.
For sustainability consultants
If you're receiving API access from a developer or integration partner, they will provide you with a bearer token. You don't need to manage key rotation — that's handled by the account holder.