Making API requests with API Key

An application that holds the API key is assumed to be authorized and trusted. More importantly, the application will also have full access to the organization's resources in SmartRecruiters.

This guide provides information on:

  • The steps required to make an API requests using API Key
  • Tips to use and manage your API Keys

1. Obtaining an API Key

In SmartRecruiters Credential Manager, click the button 'New Credential' and choose the option 'API Key'.


You will need to define the Credential name and the Description your new API key.

As best practices, we recommend you to provide a name and a description that help you and your admins to understand the function and purpose of the API key.

Click the 'Generate' button on the bottom of the page once you defined the name and the description. A value of API key will be displayed on a pop-up, this is your new API key.


Keeping your API key safe and secure

The API key value displayed on the pop-up will only be shown once. For security consideration, admins will not be able to retrieve or see the after the initial pop-up is closed.

Because an API key provide full access to the organization's resource in SmartRecruiters, we strongly recommend the generator of the credential to keep these Client Credentials safe and secure to prevent the API key from falling into the wrong hands.

2. Making an API request

To make an API request to SmartAPIs, include the API key in the header of the request as X-SmartToken 'your-api-key-value' like the following example request:

curl -X POST "https://api.smartrecruiters.com/jobs" \
-H "Content-Type: application/json" \
-H "X-SmartToken: DCRA1-d0b1128084fb427ea**************" \
-d '{
    "firstname": "Susan",
    "lastname": "Santos", 
    "systemRole": {"id": "ADMINISTRATOR"}, 
    "language": {"code":"en"},
    "location": {"countryCode": "US", "city":"San Francisco"}

3. Revoking access

The API Key does not have an expiration date. And in scenario where an API key is not used, lost or suspected to be used maliciously by a third party, admins can revoke the key simply by clicking the 'Revoke' button in Credential Manager.