Authentication and Request Signing
TapResearch’s Partner API uses two mechanisms to control access and verify request integrity:
- API Token — identifies your partner account. Only required on endpoints that need authentication.
- API Secret — used to generate
sechsignatures for specific flows. Never sent directly in a request.
All Partner API endpoints require your API token for authentication, so this page focuses on when credentials are needed and how request signing works at a high level.
API Token
Your API token is required on all Partner API endpoints.
Send it via header:
| Header | Description |
|---|---|
X-Api-Token | Identifies your partner account. |
This header is always required.
User Identifiers
For endpoints involving participant context, include the relevant identifiers:
| Header | Required | Description |
|---|---|---|
X-User-Identifier | Yes | Unique user or device identifier (UUIDv4). |
X-Device-Identifier | Optional | Hardware/device ID for multi-device distinction. |
Using the API Secret
Your API secret is never transmitted. It is only used to generate signatures (sech) for two flows:
- Impanel Security Hash (
/players/impanel) - Redirect Signing (verifying redirect callbacks)
For complete signing instructions, see: