Skip to main content

API keys

Public API keys are:
  • created inside Passu
  • tied to a Passu user account
  • scoped by Passu on creation
  • revocable and rotatable
Users do not provision credentials directly with the underlying auth provider.

Bearer tokens

Exchange your client_id and client_secret for a bearer token: 
curl --request POST \
  --url https://api.passu.ai/v1/auth/token \
  --header 'Content-Type: application/json' \
  --data '{
    "client_id": "your-client-id",
    "client_secret": "your-client-secret"
  }'
The response is a JSON object: 
{
  "access_token": "...",
  "token_type": "bearer",
  "expires_in": 3600
}
expires_in is in seconds — tokens are valid for one hour. Re-exchange your client_id and client_secret before the token expires; refresh tokens are not issued. Then call the API with: 
Authorization: Bearer <token>

Scope enforcement

The public API enforces fixed read scopes server-side:
  • read:sectors
  • read:companies
  • read:events
  • read:metrics
  • read:analyses

Access model

API keys are user-scoped. A key can only read data that the owning Passu user can access. The internal API is not part of this surface and rejects public API credentials even if a request reaches it.