Skip to main content

API Keys

All requests to the Open API are authenticated with an API key sent via the api-key HTTP header.

Creating an API Key

1

Navigate to API Keys

Go to Organizer Dashboard > Settings > API Keys tab and click + Create Key
2

Fill in details

  • Name — a label for your integration (e.g., “Experia Integration”)
  • Description — what this key is used for
3

Select scopes

Check the permissions your integration needs (see table below)
4

Configure optional settings

  • Callback URL — webhook URL to receive order and event notifications
  • IP Allowlist — comma-separated IPs to restrict key usage (leave empty to allow all)
5

Copy your key

The key is displayed once after creation — store it securely

Scopes

Each API key has specific scopes that control what it can access. Request only the scopes you need.
The orders:read scope is granted automatically when creating a key with event scopes. It will appear in the dashboard in a future update.

Scope Requirements by Resource

If your key lacks a required scope, the API returns 403 FORBIDDEN with code SCOPE_REQUIRED.

IP Allowlist

For production keys, you can restrict usage to specific IP addresses or CIDR ranges:
  • Leave empty to allow all IPs
  • Add your server’s public IP(s) for security
  • Supports individual IPs and CIDR notation
Requests from non-allowlisted IPs receive 403 FORBIDDEN.

Webhook Security

When Ticketnation sends webhook events to your server, each request includes an HMAC signature for verification.

Verifying Webhook Signatures

Webhook Events

Webhook Payload Format

Webhook Reliability

  • Failed deliveries are retried with exponential backoff (up to 3 attempts)
  • Webhooks are auto-disabled after 10 consecutive failures
  • Use the test endpoint to verify your webhook URL works
  • Check delivery history via the API to debug failures

Security Best Practices

  1. Rotate keys regularly — create a new key, update your integration, then delete the old one
  2. Use IP allowlists in production
  3. Scope minimally — don’t grant events:write if you only need events:read
  4. Store keys in environment variables, never in code
  5. Verify webhook signatures to prevent spoofed events
  6. Set expiration dates for temporary integrations