Skip to Content
APIGetting started

Getting started

Every endpoint in the API reference requires two header values: Authorization (a bearer token) and client-id. This page covers where to find them and how to send a request.

⚠ Mutating endpoints affect production data. POST/PUT/PATCH/DELETE requests against the live API change real data. Use a non-production Authorization token where possible, and treat the reference as a live tool, not a sandbox.

Authorization

A bearer token: Authorization: Bearer <token>.

Where to obtain one depends on which audience you belong to:

  • IBA staff — sign in to the Admin dashboard , open the browser dev tools, and copy the Authorization header from any authenticated XHR. The token is rotated on each login.
  • Third-party integrators — your token is provisioned during onboarding. If you’ve lost it, contact your IBA technical liaison.
  • Internal engineering — generate a development token via the API’s /auth/login endpoint with your dev credentials. See WWW: Authentication for the flow.

client-id

A string identifying which client is making the call. Issued by IBA at onboarding for partners; staff use a fixed internal value.

  • Partners — your client-id was provided in your integration kit.
  • Staff / internal — use the value from your local .env (look for IBA_CLIENT_ID) or copy it from any authenticated request in the Admin dashboard.

Executing a request

Each endpoint reference page offers two ways to run a request:

Copy as cURL

Every endpoint page includes a curl snippet pre-populated with the method, URL, headers, and example body. Hover the code block, click the copy icon, then substitute the <token> and <client-id> placeholders before running it in your terminal.

curl --request POST \
  --url 'https://api.tunnelflight.com/api/auth/login' \
  --header 'Authorization: Bearer <token>' \
  --header 'client-id: <client-id>' \
  --header 'content-type: application/json' \
  --data '{"username":"...","password":"..."}'

Open in Bruno desktop

Every endpoint page has a View source on GitHub → link pointing at the originating .bru file in api/bruno/. Team members with Bruno desktop  installed can clone the repo and open the collection at api/bruno/<service>/ to execute requests against the live API with full environment-variable, auth, and test support. Partners can read the .bru source as plain text — it’s a simple, well-documented format.

The full Bruno collection per service lives under api/bruno/ on GitHub.

Conventions across services

The six services share the same HTTP conventions — status codes, error envelope shape, auth header format. See Conventions for the canonical reference.

When something goes wrong

  • 401 Unauthorized — token expired or wrong audience. Get a fresh one.
  • 403 Forbidden — token valid but the account lacks permission for that endpoint.
  • CORS error — the API only accepts requests from approved origins. If you’re running the request from a browser context (rather than curl or Bruno), the endpoint needs adding to the API’s CORS allow-list (file a ticket with the API team).
  • Endpoint page is missing — the corresponding service may have no Bruno collection yet, or its registry.json entry hasn’t been added. See the index at /api for the full list of services with their import status.
Last updated on
OverviewInternals