Challanwala logo
Challanwala
Challanwala API Docs

Authentication

Authenticate requests with your organization API secret.

Bearer-secret authentication

Every organization API request requires an Authorization header:

Authorization: Bearer YOUR_API_SECRET

The secret is organization-scoped. Requests made with one organization's secret cannot be used to access another organization's data.

Key behavior

  • Only one active organization API secret is allowed at a time.
  • If you delete the active secret, existing integrations stop working immediately.
  • A replacement secret must be generated and deployed to your systems before requests succeed again.
  • Secret values are shown only once when created.

Testing vs production

Production secrets are generated in the Challanwala CMS. Testing secrets are dummy staging credentials created from the Testing guide and only work against /api/v1/staging.

Recommended storage

Store the secret in your secret manager or environment configuration. Do not embed it in frontend code, browser apps, or mobile binaries.

Auth example

cURL request
curl --request GET 'https://cms-staging.challanwala.com/api/v1/staging/locations' \  --header 'Authorization: Bearer YOUR_API_SECRET'
JavaScript request
const response = await fetch('https://cms-staging.challanwala.com/api/v1/staging/locations', {  method: 'GET',  headers: {    Authorization: 'Bearer YOUR_API_SECRET',  },});const data = await response.json();console.log(data);
Example response
{"success": true,"data": [  {    "cityId": "98bb2b02-6474-4d6d-a45c-0d37efae792d",    "cityName": "Delhi",    "stateId": "5326706c-df84-40e7-9b33-a7a0c254e3f5",    "stateName": "Delhi",    "stateCode": "DL",    "address": "Connaught Place",    "landmark": "Block A",    "zipCode": "110001",    "buildingName": "Regional Hub"  }]}

Common authentication failures

401
Missing organization API secret

The request did not include a bearer token in the Authorization header.

401
Invalid organization API secret

The provided secret does not match an active organization API secret.

403
Organization API access is unavailable

The organization associated with the secret cannot currently use the API.

403
Service disabled for this organization

The authenticated secret is valid, but the requested service has not been enabled for the organization.

429
Too many invalid authentication attempts

The staging replica throttles repeated bad bearer tokens to keep the public test surface safe.

Quickstart

Generate an API secret, pick an environment, and make your first authenticated request.

Environments

Switch between testing and production hosts for every example.

On this page

Bearer-secret authenticationKey behaviorAuth exampleCommon authentication failures