Skip to main content

Overview

All API requests to Exterview require authentication using two methods combined:
  1. API Key - Organization-specific identifier
  2. Bearer Token - User-specific authorization token
Both must be included in every request to access the API endpoints.

Required Headers

Every API request must include the following three headers:
x-api-key
string
required
Your organization-specific API key. Contact your administrator to obtain this key.
Authorization
string
required
Bearer token in the format: Bearer YOUR_TOKEN
Content-Type
string
required
Request content type: application/json or multipart/form-data (for file uploads)

Base URLs

Exterview provides two environments for API access:

Production

https://api.exterview.ai/graphql
Use this for production applications and live data.

Sandbox

https://sandbox-api.exterview.ai/graphql
Use this for testing and development purposes.

Quick Start Example

Here’s a complete example showing how to authenticate and make your first API request: 
curl -X POST https://api.exterview.ai/graphql \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"query": "query { interviews { id title } }"}'

Getting Your Credentials

API Key

Your organization’s API key is available in the Exterview dashboard:
  1. Log in to your Exterview account
  2. Navigate to SettingsAPI Keys
  3. Copy your organization’s API key
Keep your API key secure and never commit it to version control. Use environment variables to store sensitive credentials.

Bearer Token

The Bearer token is generated when you authenticate:
  1. Use your Exterview credentials to log in
  2. The authentication response includes your Bearer token
  3. Include this token in all subsequent API requests
Bearer tokens typically expire after a certain period. Implement token refresh logic in your application to handle expiration.

Authentication Errors

Status CodeErrorDescription
400Bad RequestMissing required headers or invalid format
401UnauthorizedInvalid or missing API key or Bearer token
403ForbiddenAPI key lacks required permissions for this operation

Example Error Responses

{
  "error": "Missing or invalid API key or token"
}

Security Best Practices

Never hardcode API keys or tokens in your source code. Use environment variables:
export EXTERVIEW_API_KEY="your_api_key"
export EXTERVIEW_BEARER_TOKEN="your_token"
Rotate your API keys and tokens periodically to maintain security:
  • API keys: Every 90 days
  • Bearer tokens: Implement automatic refresh
Always use HTTPS (not HTTP) when making API requests to ensure your credentials are encrypted in transit.
Configure your API key with the minimum required permissions for your use case. Avoid using admin-level keys for routine operations.

Testing Your Authentication

Use this simple query to verify your authentication is working correctly: 
query {
  __typename
}
If authentication is successful, you’ll receive: 
{
  "data": {
    "__typename": "Query"
  }
}
Authentication Successful! You’re now ready to start using the Exterview API. Check out the API Reference to explore available endpoints.

Need Help?

Having trouble with authentication? Here are some resources: