API Keys
All requests to the Open API are authenticated with an API key sent via theapi-key HTTP header.
Creating an API Key
1
Navigate to API Keys
Go to Organizer Dashboard > Settings > API Keys tab and click + Create Key
2
Fill in details
- Name — a label for your integration (e.g., “Experia Integration”)
- Description — what this key is used for
3
Select scopes
Check the permissions your integration needs (see table below)
4
Configure optional settings
- Callback URL — webhook URL to receive order and event notifications
- IP Allowlist — comma-separated IPs to restrict key usage (leave empty to allow all)
5
Copy your key
The key is displayed once after creation — store it securely
Scopes
Each API key has specific scopes that control what it can access. Request only the scopes you need.The
orders:read scope is granted automatically when creating a key with event scopes. It will appear in the dashboard in a future update.Scope Requirements by Resource
If your key lacks a required scope, the API returns
403 FORBIDDEN with code SCOPE_REQUIRED.
IP Allowlist
For production keys, you can restrict usage to specific IP addresses or CIDR ranges:- Leave empty to allow all IPs
- Add your server’s public IP(s) for security
- Supports individual IPs and CIDR notation
403 FORBIDDEN.
Webhook Security
When Ticketnation sends webhook events to your server, each request includes an HMAC signature for verification.Verifying Webhook Signatures
Webhook Events
Webhook Payload Format
Webhook Reliability
- Failed deliveries are retried with exponential backoff (up to 3 attempts)
- Webhooks are auto-disabled after 10 consecutive failures
- Use the test endpoint to verify your webhook URL works
- Check delivery history via the API to debug failures
Security Best Practices
- Rotate keys regularly — create a new key, update your integration, then delete the old one
- Use IP allowlists in production
- Scope minimally — don’t grant
events:writeif you only needevents:read - Store keys in environment variables, never in code
- Verify webhook signatures to prevent spoofed events
- Set expiration dates for temporary integrations

