Authentication

API BCE supports two authentication methods. Most integrations use API key headers; developer applications can use OAuth2 instead.

API key + secret (recommended)#

Send both headers on every request:

X-API-Key — your public key identifier
X-API-Secret — your private secret

curl https://companybelgium.be/api/v2/enterprise/0403.170.701 \
  -H "X-API-Key: $API_KEY" \
  -H "X-API-Secret: $API_SECRET"

⚠️

Never expose your API secret in client-side code, mobile apps or public repositories. Call the API from your backend.

OAuth2 (developer apps)#

Developer applications can exchange a client_id and client_secret for a short-lived bearer token using the client_credentials grant.

curl -X POST https://companybelgium.be/api/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d grant_type=client_credentials \
  -d client_id=$CLIENT_ID \
  -d client_secret=$CLIENT_SECRET

Then send the token in the Authorization header instead of the API key headers:

curl https://companybelgium.be/api/v2/enterprise/0403.170.701 \
  -H "Authorization: Bearer $ACCESS_TOKEN"

ℹ️

See the OAuth tokens reference for token lifetime and scopes.