Authentication
Authentication
The Ply API uses API key authentication. Every request must include your API key in the API_KEY header.
API keys grant access to your business data. Treat them like passwords — never commit them to source control or expose them in client-side code.
Creating an API key
Scopes
API keys are scoped to limit what they can access. When creating a key, select only the scopes your integration needs. A key without the required scope for an endpoint will receive a 403 Insufficient Scope error.
Available scopes
Write scopes implicitly include read access for the same resource. A key with materials:write can also read materials.
Rate limits
API requests are rate-limited per business to ensure fair usage across all integrations.
All API keys belonging to the same business share a single rate limit pool. Creating multiple keys does not increase your limits.
Rate limit headers
Every response includes headers showing your current usage:
Handling 429 Too Many Requests
When you exceed the rate limit, the API returns:
The Retry-After header tells you how many seconds to wait before retrying:
Implement exponential backoff in your integration. Start with the Retry-After value, then double the wait time on consecutive 429s.
Environments
Use separate API keys for each environment. Sandbox keys do not work in production and vice versa.
Example: Complete authenticated request
Security best practices
- Rotate keys regularly — revoke and recreate keys periodically
- Use minimum scopes — only grant the access your integration needs
- Store keys securely — use environment variables or a secrets manager, never hardcode
- Monitor usage — check the API Keys page in the dashboard for usage metrics
- Use sandbox for development — test against sandbox before pointing at production