This page explains how authentication works when your systems call Qombo APIs.

For API calls, Qombo uses multiple layers of authentication:

• API key
• IP allowlist
• optional - mutual TLS (mTLS)

These checks identify your organisation, restrict access to authorized source systems, and protect sensitive operations.

<aside> <img src="/icons/info-alternate_blue.svg" alt="/icons/info-alternate_blue.svg" width="40px" />

The API online documentation is available here. For testing purpose, a dedicated Postman collection can be downloaded here.

</aside>

Authentication layers

1. API key

Send your API key in the HTTP header:

x-api-key: <your-qombo-api-key>

Qombo uses this key to identify your organisation.

If the key is missing or invalid, the request is rejected.

2. IP allowlist

After the API key is validated, Qombo checks whether the source IP is allowed for your organisation. If not, the request is rejected with 401 Unauthorized.

3. Optional - mutual TLS (mTLS)

We recommend to setup mTLS between Qombo and your systems if possible. More information on the configuration here:

Internal mTLS

Environments

For each environment, we provide: