Authentication
Bearer tokens. Send the Authorization header.
Authentication
The API authenticates with bearer tokens. Send the token in the
Authorization header on every request:
curl https://zyins.isaapi.com/v3/prequalify \
-H "Authorization: Bearer $ISA_TOKEN" \
-H "Idempotency-Key: $(uuidgen)" \
-H "Content-Type: application/json" \
-d @prequalify.jsonThat's it. The SDKs read the same token from ISA_TOKEN by default.
Test vs live
| Prefix | Mode | Touches |
|---|---|---|
isa_test_* | Test | Sandbox underwriting. No live quota. No audit trail. |
isa_live_* | Live | Real underwriting, real quota, real audit log. |
You receive both at sign-up. Use isa_test_* for integration; switch the
variable to isa_live_* when you're ready to ship. See
Test mode for what stays simulated.
Getting a token
Sign up at checkout.isaapi.com. You'll receive both isa_test_* and isa_live_* tokens by email within a few minutes.
For custom procurement or high-volume accounts, email [email protected] (one-business-day turnaround).
Self-service token management from the dashboard is coming soon.
Rotation
Email [email protected] to request a rotation. The old key stays valid for 24 hours so deploys don't break, then is revoked.
Treat tokens like passwords. Store them in your secrets manager. Never commit them to source control or put them in URLs.
Leaked token? Email [email protected] right away and quote the request_id from a recent response. Support revokes it immediately.
Dashboard self-service token rotation is coming soon.
Constructors
Every SDK exposes the same factory. Pass your bearer token and the SDK handles transport, idempotency, and retries:
import { Isa } from 'isa-sdk';
// Bearer token — reads ISA_TOKEN from the environment.
const isa = await Isa.withBearer();
// Pass the token explicitly when it is not in the environment.
const isaExplicit = await Isa.withBearer({ token: process.env.MY_ISA_TOKEN });from isa_sdk import Isa
# Bearer — reads ISA_TOKEN from the environment.
isa = Isa.with_bearer()
# Explicit token.
isa = Isa.with_bearer('isa_test_4fjK2nQ7mX1aB8sR9pZ3')import sdk "github.com/isa-sdk/sdk"
// Bearer — reads ISA_TOKEN from the environment.
isa, err := sdk.WithBearer("")
// Explicit token.
isa, err := sdk.WithBearer("isa_test_4fjK2nQ7mX1aB8sR9pZ3")using Isa.Sdk;
// Bearer — reads ISA_TOKEN from the environment.
var fromEnv = IsaClient.WithBearer();
// Explicit token.
var explicitToken = IsaClient.WithBearer("isa_test_4fjK2nQ7mX1aB8sR9pZ3");use Isa\Sdk\Isa;
// Bearer — reads ISA_TOKEN from the environment.
$isa = Isa::withBearer();
// Explicit token.
$isa = Isa::withBearer('isa_test_4fjK2nQ7mX1aB8sR9pZ3');apiVersion pinning
apiVersion pinningThe apiVersion map is optional for most consumers. Use it to pin specific
surfaces to a particular wire version — useful during staged rollouts:
import { Isa } from 'isa-sdk';
// Pin prequalify to v3 explicitly (the SDK's bundled default for current releases).
const isa = await Isa.withBearer(undefined, undefined, {
apiVersion: { prequalify: 'v3' },
});Resolution at call time is:
effectiveVersion = apiVersion[surface] ?? BundledApiVersions[surface]Omit the map entirely to use the SDK release's bundled defaults for every
surface. BundledApiVersions is an exported constant you can inspect at
build time:
import { BundledApiVersions } from 'isa-sdk';
// { prequalify: 'v3', quote: 'v3', datasets: 'v3', cases: 'v1', ... }What goes wrong
| Symptom | Cause |
|---|---|
401 unauthorized | Token missing, malformed, or doesn't match its mode. |
403 forbidden | Token lacks the scope. Mint a new one with the scope. |
403 livemode_mismatch | Test token on a live endpoint or vice versa. |
See Errors for the full code catalog.
Updated about 10 hours ago