Tablewealth

Authentication

Authenticate API requests with scoped API keys and enforce access through discovery.

All API routes require an API key in the X-API-Key header.

Send the API key

Store API keys in server-side environment variables. Do not expose them in browser code.

const response = await fetch('https://api.tablewealth.com/v1/accounts', {
  headers: {
    'X-API-Key': process.env.TABLEWEALTH_API_KEY!
  }
});
curl "https://api.tablewealth.com/v1/api-key" \
  -H "X-API-Key: $TABLEWEALTH_API_KEY"
import os
import requests

response = requests.get(
    "https://api.tablewealth.com/v1/accounts",
    headers={"X-API-Key": os.environ["TABLEWEALTH_API_KEY"]},
    timeout=30,
)
response.raise_for_status()
body = response.json()

Security model

Every response is constrained by the API key.

Organization scope

The key determines the organization. API requests never accept an organization id or user id from client input.

Permission scope

Each endpoint requires a scope. If the key lacks the required scope, the API returns a normalized forbidden_scope error.

Account scope

Account data and derived data are constrained by the key's account access policy. Restricted keys can produce empty lists even when the organization has more data.

Scope reference

ScopeUnlocks
organization:readGET /v1/organization
accounts:readGET /v1/accounts, GET /v1/accounts/{accountId}
transactions:readTransaction list endpoints
holdings:readHolding list endpoints

Overview

Build read-only integrations against organization-scoped accounts, transactions, holdings, and organization data.

AI coding skills

Build local Tablewealth apps with ChatGPT Plus, Codex, Claude Code, or the Tablewealth Editor.

On this page

Send the API key
Security model
Organization scope
Permission scope
Account scope
Scope reference