Skip to main content

Overview

All Firstwork API requests must be authenticated using an API key passed in the Authorization header.

API Key Authentication

Include your API key as a Bearer token in the Authorization header of every request: 
curl -X GET "https://your-instance.firstwork.com/external/v1/hiring-flow/" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Obtaining an API Key

API keys are generated in the Firstwork dashboard:
1

Navigate to API settings

Go to Settings > API Keys in your Firstwork dashboard.
2

Generate a new key

Click Generate New Key and give it a descriptive name (e.g., “Production Integration”, “Zapier Connector”).
3

Copy your key

Copy the API key immediately — it won’t be shown again.
4

Store securely

Store the key in a secure location such as an environment variable or secrets manager.

Best Practices

Never hardcode API keys in source code. Use environment variables or a secrets manager to store them securely.
Rotate API keys periodically. Create a new key, update your integrations, then revoke the old key.
Create separate API keys for each integration. This allows you to revoke access for a specific integration without affecting others.
Review API key usage logs to detect unauthorized access or unusual patterns.

Company Context

After authentication, all API calls are automatically scoped to the company associated with your API key. This ensures all data access is isolated to your organization — you cannot accidentally access another company’s data.

Permissions

API access respects your organization’s permission model:
  • Read permissions control which data can be queried
  • Write permissions control which data can be modified
  • Some endpoints require admin-level API keys