This page describes common patterns, headers, responses, and conventions used throughout the Partners Portal API.
Common Headers
All API requests should include the following headers:
Required Authentication Headers
| Header | Type | Description | Example |
|---|---|---|---|
x-client-id | string | Network/integrator client identifier | network_abc123 |
x-client-secret | string | Network/integrator secret key | secret_xyz789 |
correlationId | string | IC unique identifier (NIF/Tax ID) | B12345678 |
sessionToken | string | User session token (except auth endpoints) | eyJhbGci... |
Optional Headers
| Header | Type | Description | Example |
|---|---|---|---|
Content-Type | string | Request body format (required for POST/PUT/PATCH) | application/json |
Accept | string | Preferred response format | application/json |
HTTP Methods
The API uses standard HTTP methods with the following semantics:
| Method | Usage | Idempotent | Request Body | Response Body |
|---|---|---|---|---|
GET | Retrieve resource(s) | ✅ Yes | ❌ No | ✅ Yes |
POST | Create new resource | ❌ No | ✅ Yes | ✅ Yes |
PUT | Replace entire resource | ✅ Yes | ✅ Yes | ✅ Yes |
PATCH | Partially update resource | ❌ No | ✅ Yes | ✅ Yes |
DELETE | Remove resource | ✅ Yes | ❌ No | ⚠️ Optional |
Response Format
Success Responses
All successful responses return JSON data with appropriate HTTP status codes:
200 OK - Request succeeded
Code
201 Created - Resource created successfully
Code
204 No Content - Request succeeded with no response body
Code
Error Responses
Error responses follow a consistent structure:
400 Bad Request - Invalid request data (Validation errors)
Errors follow a standard format:
- First 2 Digits represent the category of the error
- Next 2 Digits represent the specific field
- Last 2 Digits represent the specific error within that field
All errors are accompanied by a short message explaining the error and the field that caused it.
Code
401 Unauthorized - Authentication failed
Code
403 Forbidden - Insufficient permissions
Code
404 Not Found - Resource not found
Code
500 Internal Server Error - Server error
Code
HTTP Status Codes
| Code | Meaning | Common Use Cases |
|---|---|---|
200 | OK | Successful GET, PUT, PATCH |
201 | Created | Successful POST creating a resource |
204 | No Content | Successful DELETE |
400 | Bad Request | Validation errors, malformed JSON |
401 | Unauthorized | Missing or invalid authentication |
403 | Forbidden | Valid auth but insufficient permissions |
404 | Not Found | Resource doesn't exist |
409 | Conflict | Duplicate resource, business rule violation |
422 | Unprocessable Entity | Validation error in request data |
500 | Internal Server Error | Server-side error |
503 | Service Unavailable | Temporary server unavailability |
Pagination
For endpoints returning lists, pagination is supported with query parameters:
Request:
Code
Response:
Code
Filtering and Sorting
Filtering
Use query parameters for filtering:
Code
Sorting
Use the sortBy and sortOrder parameters:
Code
Common sort fields:
createdDate- Creation timestampupdatedDate- Last modification timestampname- Alphabetical by namestatus- By status value
Sort orders:
asc- Ascendingdesc- Descending
Date and Time Format
All dates and times use ISO 8601 format with UTC timezone:
Code
When sending dates in requests, use the same format:
Code
ID Formats
Different resource types use different ID formats:
- Simulations:
SIM-{UUID}(e.g.,SIM-550e8400-e29b-41d4-a716-446655440000) - Processes:
PROC-{UUID}(e.g.,PROC-123e4567-e89b-12d3-a456-426614174000) - Partners:
PART-{UUID}(e.g.,PART-9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d)
Request/Response Examples
Creating a Resource (POST)
Request:
Code
Response (201 Created):
Code
Response (400 Bad Request - Validation Error):
Code
Updating a Resource (PATCH)
Request:
Code
Response (200 OK):
Code
Response (400 Bad Request - Validation Error):
Code
Retrieving a List (GET)
Request:
Code
Response (200 OK):
Code
CORS and Security
CORS Headers
The API supports CORS for web applications with appropriate headers:
Code
Security Considerations
- HTTPS Only - All requests must use HTTPS
- No Credentials in URLs - Never pass sensitive data in query parameters
- Rate Limiting - API implements rate limiting per IC and user
- IP Whitelisting - Optional IP restriction available for networks
- Request Signing - Critical operations may require request signatures
Rate Limiting
The API implements rate limiting to ensure fair usage:
Limits:
- 100 requests per minute per IC
- 1000 requests per hour per IC
Rate Limit Headers:
Code
When rate limit is exceeded:
Response (429 Too Many Requests):
Code
Validation
Request Validation
All request data is validated before processing, with possible validation errors returned in the response:
Response (422 Unprocessable Entity - Validation Error):
Code
Common Validation Rules
- Email: Valid email format required
- Phone: International format (E.164) preferred
- Amounts: Positive numbers, max 2 decimal places
- Dates: ISO 8601 format
- IDs: Valid UUID or prefixed format
Versioning
The API version is included in the base path:
Code
Breaking changes will result in a new version (v2, v3, etc.)
Best Practices
- Always Include All Authentication Headers - Network, IC, and session credentials
- Handle Errors Gracefully - Check status codes and parse error responses
- Implement Retry Logic - Use exponential backoff for transient errors
- Cache Reference Data - Taxonomies change infrequently
- Use Pagination - Don't request all data at once for large datasets
- Monitor Rate Limits - Track rate limit headers to avoid throttling
- Validate Before Sending - Client-side validation reduces errors
- Log correlationId - Use for tracking requests across systems
Next Steps
- Authentication - Detailed authentication guide
- API Reference - Complete endpoint documentation
- Introduction - API overview and getting started