This page covers how to obtain, store, use, and rotate your CorpNet API key. For the auth model itself — what header to send and how errors are reported — see Authorization.
Obtaining a Key
CorpNet issues API keys directly to partners as part of onboarding. To request a key:
- Contact your CorpNet account manager.
You will receive separate keys for staging and production. Validate your integration against staging before promoting to production.
Treat your API key like a passwordAnyone who holds the key can issue requests on your partner account. Do not commit it to source control, share it over chat, embed it in client-side code, or paste it into screenshots or logs.
Storing the Key
Pull the key from a secrets store at runtime — never hard-code it into your application.
| Environment | Recommended storage |
|---|---|
| Production (cloud) | Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, or your platform's equivalent |
| Production (on-prem) | A secrets manager such as HashiCorp Vault |
| Local development | Your OS credential store (Windows Credential Manager, macOS Keychain, Linux libsecret) — or a .env.local file that is excluded from version control |
Using the Key
Send the key on every request as a Bearer token in the Authorization header:
Authorization: Bearer <your_api_key>Replace <your_api_key> with the value CorpNet issued to you. See Authorization for full request examples against the Business Formation and Tax Registration APIs.
Rotating the Key
If your key is leaked, you suspect compromise, or you want to rotate on a regular security cadence:
- Contact your CorpNet account manager and request a rotation.
- Once a replacement is issued, update the value in your secrets store.
- Deploy the change to all applications and services that use the key.
- Old keys stop working as soon as the replacement is issued. There is no overlap window — plan rotations during a maintenance window or when traffic is low.
Environment Scope
Keys are bound to a specific environment:
- A staging key authenticates only against the staging hosts.
- A production key authenticates only against the production hosts.
Calling a production host with a staging key — or vice versa — returns 401 Unauthorized. See Authorization for the host list.
Your key's product entitlement (Business Formation, Tax Registration, or both) follows your partner agreement. If a call returns 403 Forbidden, your key may not be entitled to that API product; contact your CorpNet account manager to confirm scope.