Where auth is enforced
Authentication and usage enforcement are handled by API Gateway:- API key validation
- Usage plan throttle limits
- Usage plan monthly quotas
Required endpoints
X-API-Key is required for:
GET /v1/search/propertyGET /v1/property/{property_id}/permitsGET /v1/property/{property_id}/profile
Common auth responses
- Missing or invalid key:
403 - Throttle/quota exceeded:
429
Security posture
- Treat API keys as server-side credentials.
- Do not expose API keys in public browser clients.
- Rotate keys on a regular schedule and on any suspicion of leakage.