Skadi Partner API Console

Getting started

Four steps from zero to a priced excess layer: request credentials, pin a contract version, sign your first request, and handle retries safely.

1. Request credentials

Open the Request key form in the producer portal. Pick a preset that matches your appointment — indicative-pricing (default, stateless math), read-only (analytics), brokerage-producer (reads + indicative for brokerage placements), or binding-authority (full quote-bind lifecycle for LoA holders). Sandbox keys are auto-provisioned on partner-intent signups; production keys after a successful sandbox integration test.

2. Pin a contract version

Send Skadi-API-Version: 2026-04-25 on every request. Omitting the header opts into "latest" and may surface breaking changes when a new version ships. The 12-month deprecation window is documented in the changelog.

3. Make your first request

The lowest-friction endpoint is POST /rate-quote — pure compute, no persistence, no idempotency requirement. 

# Bind the timestamp once — the header and the signed string must agree.
TS=$(date +%s)
BODY=$(cat body.json)
SIG=$(printf '%s.%s' "$TS" "$BODY" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$SKADI_HMAC_SECRET" | awk '{print $NF}')

curl -X POST https://zsznsjvcluslttkxjhng.supabase.co/functions/v1/rate-quote \
  -H "Content-Type: application/json" \
  -H "Skadi-API-Version: 2026-04-25" \
  -H "X-API-Key: $SKADI_API_KEY" \
  -H "X-Timestamp: $TS" \
  -H "X-Signature: sha256=$SIG" \
  --data-binary "$BODY"

The TypeScript SDK handles signing, version pinning, and idempotency for you — see the SDK guide. The signing scheme itself (header set, timestamp skew, GET canonicalization) is specified on the Authentication page.

Prefer a one-click import?

Ready-made collections cover both auth modes with signing pre-wired — fill two environment variables and run: Postman — HMAC · Postman — OAuth · Bruno · sandbox environment. The same files are downloadable from the developer dashboard, and the full OpenAPI 3.1 spec at openapi.yaml feeds openapi-generator for typed clients in any language.

4. Idempotency

All POST endpoints accept an Idempotency-Key header. Use a fresh UUIDv4 per logical operation; retain across network retries; discard after success. Replays return the original body. The SDK auto-generates this header.

5. Errors

All non-2xx responses are RFC 7807 application/problem+json with a stable type URI, plus x-request-id and trace_id for support. See the API reference for the full catalog.