RobinReturn
Partner API

Authentication

Authenticate to the RobinReturn Partner API with a bearer API key, and the scopes each endpoint requires.

Authenticate every request with your API key, sent as a bearer token:

Authorization: Bearer rr_live_xxxxxxxxxxxxxxxxxxxxxxxx

The X-Api-Key: rr_live_… header is also accepted. A missing, malformed, unknown or revoked key returns 401. A key without the scope a route requires returns 403.

Scopes

A key is granted only the scopes you requested at access time.

ScopeGrants
cases:writeUpload invoices and create cases (POST /api/v1/uploads, POST /api/v1/cases)
cases:readRead case status (GET /api/v1/cases/{id})
webhooks:manageManage outbound webhook endpoints (planned — see Webhooks)

Keeping keys safe

  • The full secret is shown once at creation — store it in a secret manager, never in source control or a client-side bundle.
  • A key can spend money and send legal letters. Treat it like a production credential.
  • Revoke a key immediately if it may have been exposed, and mint a replacement.
  • Keys are per-company; all access is scoped to your own company's data.

On this page