Authentication
Every request to the OJobs Developer API must include a valid API key. Requests without a key, or with an invalid, expired, or revoked key, return 401 Unauthorized.
curl https://ojobs.site/api/v1/jobs \
-H "Authorization: Bearer YOUR_API_KEY"Getting an API key
You can create and manage your API keys from Settings → API Keys in the OJobs dashboard. Each key is shown in full only once, at creation — store it somewhere safe.
See API Keys for details on creating, revoking, and rotating keys.
Using your key
Pass your key in the Authorization header on every request, prefixed with Bearer:
Authorization: Bearer ojobs_prod_xxxxxxxxxxxx
Key types
| Prop | Type | Default |
|---|---|---|
ojobs_prod_... | Production key | - |
ojobs_test_... | Test key | - |
Test mode
Requests made with a ojobs_test_... key never touch your organisation's real data. Instead, every endpoint returns a small, fixed set of sandbox jobs — the same jobs, every time, for every test key. This lets you build and test an integration end-to-end without any risk of exposing real applicant or job data, and without needing to seed your own account with fake posts.
Because the sandbox dataset is fixed, don't rely on it reflecting the number or content of jobs you've actually posted — swap to a ojobs_prod_... key once you're ready to go live.
Restricting a key to specific origins
When creating a key, you can optionally set a list of allowed origins. If set, requests carrying an Origin header that isn't on the list are rejected with 403 Forbidden. Leave the list empty to allow requests from anywhere (e.g. server-to-server calls, which typically don't send an Origin header at all).
Who can use API keys
API keys can only be used by organisation accounts that have been approved through OJobs' verification process. If your account is a student/freelancer account, or your organisation hasn't been approved yet, requests will fail with 403 Forbidden even with a valid key.
Common errors
| Prop | Type | Default |
|---|---|---|
401 | Unauthorized | - |
403 | Forbidden | - |
See Errors for the full list of error codes.
Keep your key secret
Never expose your API key in client-side code, public repositories, or logs. If a key is ever compromised, revoke it immediately from Settings and generate a new one — revoking is instant and permanent.