Authentication
Use this page when you need to create a BF export API key, send the correct auth header, or diagnose request failures before job processing starts.
How Access Works
The public Bulk Fill export-job API uses BF export API keys sent as Bearer tokens:
Authorization: Bearer doqlo_bfexp_<public_id>.<secret>
Current base URL:
https://api.doqlo.com
POST /v1/bulkfill/export-jobs also requires Idempotency-Key.
X-Request-Id is optional tracing only. Read-only GET requests do not
require either header.
Create A BF Export API Key
Create and manage BF export API keys from your authenticated Doqlo account page.
Current key rules:
- API keys are available on
BusinessandScale - the full secret is shown only once at creation time
- current TTL options are
30,90,180, or365days - an account can hold up to
5non-expired, non-revoked keys - the account page keeps all active keys visible and shows only the
5most recent non-active keys in its history section
Account Management Limits
The account-side key-management routes have their own mutation limits. These limits are separate from the public export-job API limits:
- create key:
3 / 10 minutes,10 / hour,30 / dayper account - revoke request:
10 / 10 minutes,30 / hourper account - successful creates plus state-changing revokes share a
50 / daybudget per account
Repeating revoke on an already revoked key remains a no-op. Those retries are still subject to the revoke-request limits, but they do not consume the shared daily mutation budget.
Send The Auth Header
Example request headers:
Authorization: Bearer doqlo_bfexp_<public_id>.<secret>
Idempotency-Key: 2f6403c7-4e52-4c7b-b435-96542ccbf4bc
X-Request-Id: support-create-001
If you omit X-Request-Id, Doqlo generates one and returns it in the response
header.
Minimal authenticated request example:
curl https://api.doqlo.com/v1/bulkfill/export-jobs/$JOB_ID \
-H "Authorization: Bearer $DOQLO_BF_EXPORT_API_KEY"
Common Authentication Failures
| Code | HTTP status | Meaning |
|---|---|---|
BF_EXPORT_API_KEY_REQUIRED | 401 | Missing header or malformed Bearer format |
BF_EXPORT_API_KEY_INVALID | 401 | Token was parsed but did not verify |
BF_EXPORT_API_KEY_REVOKED | 403 | Key was revoked |
BF_EXPORT_API_KEY_EXPIRED | 403 | Key expired |
BF_EXPORT_API_KEY_INACTIVE | 403 | Key exists but the account is not currently eligible for API use |
RATE_LIMITED | 429 | Request hit a configured public API rate limit |
Security Guidance
- Keep BF export API keys on the server side.
- Do not hardcode keys into browser code or mobile apps.
- Do not commit keys to Git or store them in shared chat logs.
- Rotate keys if a secret is exposed.
- Revoke keys you no longer use.
Read Next
- API Quickstart for the first working create request
- Idempotency for the create retry and tracing contract
- Error Handling for request failure diagnosis
- API Reference for auth requirements by endpoint
- Security & Data Handling for account, key, and shared-responsibility guidance
- Plans & Limits for current API plan eligibility