Authentication

The Partner API uses a client-credentials flow. You exchange your client ID and client secret for a time-limited access token, then include that token in the X-Auth-Token header on every subsequent request.

How it works

1. RecruitiFi provides you with a client ID and client secret during partner onboarding.
2. You call POST /v1/auth/token with your credentials to receive an access token.
3. Include the token in the X-Auth-Token header on all API requests.
4. When the token expires, request a new one.

Obtaining credentials

Contact your RecruitiFi partner manager to receive your client ID and client secret. These credentials are scoped to your partner organization and should be stored securely on your server — never expose them in client-side code.

Requesting an access token

Request

curl --request POST \
  --url https://api.recruitifi.com/v1/auth/token \
  --header 'Content-Type: application/json' \
  --data '{
    "client_id": "your-client-id",
    "client_secret": "your-client-secret"
  }'

Response

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "bearer",
  "expires_in": 3600
}

The expires_in field indicates the token lifetime in seconds.

Using the token

Include the access token in the X-Auth-Token header on all subsequent requests.

Error handling

• 401 Unauthorized — invalid credentials or missing/expired X-Auth-Token
• 403 Forbidden — valid token but insufficient permissions

Caution

Keep your client secret and access tokens secure. Do not commit them to version control, embed them in client-side JavaScript, or share them in public channels.