Partner API
Authentication
Authenticate to the RobinReturn Partner API with a bearer API key, and the scopes each endpoint requires.
Authenticate every request with your API key, sent as a bearer token:
Authorization: Bearer rr_live_xxxxxxxxxxxxxxxxxxxxxxxxThe X-Api-Key: rr_live_… header is also accepted. A missing, malformed, unknown or revoked key
returns 401. A key without the scope a route requires returns 403.
Scopes
A key is granted only the scopes you requested at access time.
| Scope | Grants |
|---|---|
cases:write | Upload invoices and create cases (POST /api/v1/uploads, POST /api/v1/cases) |
cases:read | Read case status (GET /api/v1/cases/{id}) |
webhooks:manage | Manage outbound webhook endpoints (planned — see Webhooks) |
Keeping keys safe
- The full secret is shown once at creation — store it in a secret manager, never in source control or a client-side bundle.
- A key can spend money and send legal letters. Treat it like a production credential.
- Revoke a key immediately if it may have been exposed, and mint a replacement.
- Keys are per-company; all access is scoped to your own company's data.