Authorization

All requests to the CorpNet API must include a valid Authorization header carrying a Bearer token. Requests without one — or with an invalid token — are rejected before any processing.

Authentication Method

The CorpNet API uses Bearer token authentication. CorpNet issues your token directly; there is no OAuth flow, no token exchange, and no refresh step. The token you receive is the token you send on every request, unchanged.

📘
Your token is scoped to what you licensed
CorpNet offers two API products: Business Formation and Employer Tax Registration. Your token's entitlement matches your partner agreement — partners who license one product receive a token scoped to that product, and partners who license both receive a single token that authenticates against both. If a call is rejected with 403 Forbidden, your token may not be entitled to the endpoint you're calling. Contact your CorpNet account manager to confirm scope.
See API Key for how to obtain and store yours.

Required Header

Every request must carry:

Authorization: Bearer <your_api_key>

Replace <your_api_key> with the value CorpNet issued to you. Treat it like a password — it grants access to your partner account.

Example: Business Formation API

GET /api-partners-v8/order/{orderGuid} HTTP/1.1
Host: api.corpnet.com
Authorization: Bearer YOUR_API_KEY_HERE
Accept: application/json

Example: Tax Registration API

GET /api/api-partners-v10/tax-reg-50states/{orderGuid} HTTP/1.1
Host: api.corpnet.com
Authorization: Bearer YOUR_API_KEY_HERE
Accept: application/json

📘
Hosts at a glance

Production: both APIs are served from https://api.corpnet.com

Staging: both APIs are served from https://api.staging24.corpnet.com

Error Responses

Status	Cause
`401 Unauthorized`	The `Authorization` header is missing, malformed, or carries an invalid or revoked token.
`403 Forbidden`	The token is valid but does not grant access to the requested resource. Common causes: the token is not entitled to the API product you are calling (Business Formation vs. Tax Registration), or the resource belongs to a different partner.
`500 Internal Server Error`	An unexpected server-side failure. Retry with backoff; if it persists, contact your CorpNet account manager.

The error body shape varies by endpoint family. Both APIs return a top-level envelope similar to:

{
  "statusCode": 401,
  "message": "Unauthorized",
  "errorMessage": ["Invalid or missing API key."]
}

Do not rely on a specific error string — branch on the HTTP status code instead.

Operational Notes

Always send the header. Every endpoint requires it, including GET requests and order-status polls.
Never embed the token in client-side code. Keep API calls server-side and pull the key from a secrets manager (Azure Key Vault, AWS Secrets Manager, Windows Credential Manager for local development).
Rotation: if your token is leaked or you need a new one, contact your CorpNet account manager. Old tokens stop working as soon as a replacement is issued.
Staging vs. production keys are distinct. A key issued for staging will not authenticate against production hosts, and vice versa.