Authentication

Every request to the Cornect API is authenticated with an API token. Tokens are created from the Cornect web app and look like cornect_….

Get an API token#

Sign in to Cornect and open Account → API tokens. Click Create Token, give it a name, pick a scope (below), and copy the token — it is shown only once.

Screenshot: Account → API tokens, with the Create Token modal open showing the scope picker

Screenshot: The one-time token display modal shown immediately after minting

Copy it now

The full token is displayed a single time on creation. If you lose it, revoke it and mint a new one — there is no way to retrieve an existing token's value.

Choosing a scope#

Each token carries a scope that limits what it can do. Pick the narrowest scope your integration needs:

read — all query endpoints: search companies, get company detail, check credits, and read/download exports.
read_write — everything read can do, plus creating exports (POST /exports), which charges credits.

Authorization header#

Send the token as a bearer token on every request:

bash

Authorization: Bearer cornect_your_token_here

Workspace binding#

A token is bound to the workspace it was created in — the token is the workspace context. You do not send an X-Workspace-Id header on API requests (that header is only used by the web app's session auth). All data a token can read or write belongs to its bound workspace.

Token security#

Treat tokens like passwords. Never commit them to source control.
Load them from environment variables or a secrets manager.
Use separate tokens per integration so you can revoke one without disrupting others.
Prefer read tokens for anything that doesn't need to create exports.

Revoking a token#

Revoke a token any time from Account → API tokens. Revocation takes effect immediately — the next request with that token returns 401 INVALID_TOKEN.

Ready to make a call? Head to the Quickstart.