Authentication

Overview

The Chaiz Partner API uses JWT Bearer tokens for authentication. All API requests must include a valid token in the Authorization header.

Required Headers:

Authorization: Bearer YOUR_ACCESS_TOKEN
Content-Type: application/json

How to Obtain Credentials

To access the Chaiz Partners API, you need an access token:

Your partner identity is embedded in the token and resolved automatically — you do not need to send it in request bodies.

To get your credentials:

1. Contact your Chaiz partner manager to obtain your pre-generated access token
2. You will receive separate credentials for UAT (testing) and Production environments
3. Store your token securely using environment variables or a secrets management system
4. Tokens do not expire but can be rotated on request for security purposes

Environment-Specific Configuration

Chaiz provides separate environments for testing and production:

How to Use Authentication

Every request requires the Authorization header with your JWT token. The partner field in the request body is optional — your partner identity is resolved automatically from the token.

Example Request

curl -X POST https://chaiz-api.azurewebsites.net/api/v2/Partners/PlansSearchAsync/VIN \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "searchCriteria": {
      "vin": "1HGBH41JXMN109186",
      "mileage": 55555,
      "stateShortName": "TX"
    }
  }'

Self-Service Registration

You can register for instant API access without contacting Chaiz staff. See the Registration endpoints in the API Reference for full request/response details.

Registration Flow

1. Register — call POST /api/v2/Partners/Register with your email, display name, and terms agreement. A verification code is sent to your email.
2. Verify — call POST /api/v2/Partners/Register/Verify with your email and verification code. On success, you receive your API key, partner ID, tier, and rate limit information.
3. Use your key — include the API key as a Bearer token in the Authorization header for all Partner API requests.

Key Management

Once registered, you can manage your API key (all require your current key as Bearer token):

• Rotate — POST /api/v2/Partners/Register/Rotate invalidates your current key and issues a new one
• View usage — GET /api/v2/Partners/Register/Usage returns your registration details and rate limits
• Deactivate — DELETE /api/v2/Partners/Register permanently deactivates your key

Security Requirements

As outlined in our API License and Acceptable Use Policy, you must comply with the following security requirements:

Token Storage (Required)

You are responsible for securing your API credentials and all activity that occurs using your credentials. You must implement industry-standard security measures to protect credentials from unauthorized access, use, or disclosure.

HTTPS Only (Required)

Credential Rotation

Tokens do not expire but can be rotated on request for security purposes. Contact your Chaiz partner manager to request token rotation.

Partner Field Validation

The partner field in request bodies is optional. If omitted, it is resolved automatically from your token. If you choose to include it, it must match your token's partner identity — mismatched values will result in authentication errors.

Legal Compliance

By using the Chaiz API, you agree to comply with:

• API License - Terms governing API usage
• Acceptable Use Policy - Technical and usage requirements

Review these documents for complete security obligations, rate limits, and usage restrictions.

Need Help?

Contact your Chaiz partner manager if you:

• Need to obtain API credentials
• Have authentication issues
• Need to change your access tier
• Require token rotation or revocation