LendWorksLendWorksDocs

Authentication

Authenticate with the LendWorks Broker API using API keys with scoped permissions.

API Key Authentication

All authenticated endpoints require a Bearer token in the Authorization header:

curl -H "Authorization: Bearer lw_live_xxxxxxxxxxxxxxxx" \
     https://api.lend.works/v1/leads

With the SDK

import { LendWorksClient } from '@lendworks/sdk-node'

const client = new LendWorksClient({
  apiKey: process.env.LENDWORKS_API_KEY,
})

Key Format

API keys follow the format lw_{prefix}_{secret}:

PartDescriptionExample
lwFixed namespace prefixlw
prefixUnique key identifier (used for lookup)abc12
secretHashed secret (bcrypt, never stored in plaintext)xxxxxxxxxxxxxxxx

The prefix allows key identification in logs and dashboards without exposing the secret.

Key Management

Create and manage API keys in Admin > API Keys. Each key has:

Permission Levels

LevelAllowed MethodsUse Case
readGET onlyReporting, dashboards, read-only integrations
read_writeGET, POST, PATCH, PUTMost integrations — create and update resources
fullAll methods including DELETEAdministrative integrations

Attempting a disallowed method returns 403 Forbidden:

{
  "errors": [
    {
      "code": "FORBIDDEN",
      "message": "API key permission level 'read' does not allow POST requests"
    }
  ]
}

Rate Limit Tiers

Each key is assigned a tier that controls request limits:

TierRequests/minUse Case
basic100Development, testing
standard1,000Production integrations
premium10,000High-volume production

See Rate Limits for details on headers and quota enforcement.

Key Rotation

LendWorks supports zero-downtime key rotation:

  1. Navigate to Admin > API Keys and click Rotate on an existing key
  2. A new key is generated immediately
  3. The old key enters a grace period (configurable, default 24 hours)
  4. Both keys work during the grace period
  5. The old key is automatically revoked when the grace period expires

During the grace period, requests using the old key receive deprecation headers:

X-Api-Key-Deprecated: true
X-Api-Key-Grace-Period-Ends: 2025-01-16T10:00:00Z

Multi-Tenancy

API keys are scoped to a single organization. All resources returned by the API are automatically filtered to the organization that owns the key — you never need to pass an orgId parameter.

Error Responses

StatusCodeDescription
401API_KEY_REQUIREDNo Authorization header provided
401INVALID_API_KEYKey not found or secret doesn't match
401API_KEY_REVOKEDKey has been revoked (past grace period)
401API_KEY_EXPIREDKey has expired
403FORBIDDENKey doesn't have permission for this method

Correlation IDs

Every response includes an X-Request-Id header for request tracing:

X-Request-Id: 550e8400-e29b-41d4-a716-446655440000

Include this ID in support requests for faster debugging. You can also send your own X-Request-Id header to propagate your internal correlation IDs.

Security Best Practices

  • Store API keys in environment variables, never in source code
  • Use read permission keys for reporting — minimize blast radius
  • Rotate keys regularly and monitor the deprecation headers
  • Use separate keys for development and production environments
  • Set up IP allowlists in your organization settings for additional security

Getting Started

Install the LendWorks SDK and make your first API call in under a minute.

Error Handling

Understand error codes, status codes, and how to handle API errors gracefully.

On this page

API Key AuthenticationWith the SDKKey FormatKey ManagementPermission LevelsRate Limit TiersKey RotationMulti-TenancyError ResponsesCorrelation IDsSecurity Best Practices