Authentication

Authenticate with Business API using V2 API Keys. Simple Bearer token authentication with built-in environment separation.

V2 API Keys

Business API uses API keys to authenticate requests. You can generate and manage your keys from the API Keys section in your dashboard.

All API requests must include your key as a Bearer token in the Authorization header:

Authorization: Bearer bapi_sk_live_your_key_here

Key Types

There are four types of API keys, combining key type (secret or publishable) with environment (live or test):

Key Prefix	Type	Environment	Use Case
bapi_sk_live_	Secret	Live	Server-to-server, production
bapi_sk_test_	Secret	Test	Server-to-server, testing
bapi_pk_live_	Publishable	Live	Browser/frontend, production
bapi_pk_test_	Publishable	Test	Browser/frontend, testing

Secret vs Publishable Keys

Secret Keys `sk`

Full access to all endpoints (lodgement, status, helpers)
Must be kept confidential on your server
Blocked from browser environments
Use for all backend API integrations

Publishable Keys `pk`

Access to helper/search endpoints only
Safe to use in browser/frontend code
Restricted to whitelisted domains
Use for name availability checks, industry lookups, etc.

Never expose secret keys in client-side code. Secret keys should only be used in server-to-server requests. If you need to make API calls from a browser, use a publishable key.

Environments

The environment is determined by the URL you call, not by a field in your request body. Use test endpoints for development and live endpoints for production.

Environment	Base URL	Key Required
Live	https://businessapi.com.au/api/v2/	bapi__live_
Test	https://businessapi.com.au/api/test/v2/	bapi__test_

Using a live key on a test endpoint (or vice versa) will return an error.

Example Requests

Live company name availability check:

# Using a secret key on the live endpoint

curl https://businessapi.com.au/api/v2/helpers/company-name-availability \

-H "Authorization: Bearer bapi_sk_live_your_key_here" \

-G -d "name=My+Company"

Test ABN registration lodgement:

# Using a secret key on the test endpoint

curl https://businessapi.com.au/api/test/v2/abn/registrations \

-H "Authorization: Bearer bapi_sk_test_your_key_here" \

-H "Content-Type: application/json" \

-d '{"...": "..."}'

Domain Whitelisting (Publishable Keys)

Publishable keys are restricted to requests from whitelisted domains. When creating a publishable key, specify the domains your frontend will make requests from.

Up to 5 domains per key
Domains are validated against DNS records
localhost, 127.0.0.1, *.test, and *.local are always allowed for development
Domains can be updated at any time from the dashboard

Key Rolling

When you need to rotate a key, you can choose between two strategies:

Instant Roll

The old key is immediately decommissioned and a new key is generated. Use this if you suspect your key has been compromised.

24-Hour Delayed Roll

Both old and new keys work for 24 hours, giving you time to update your integration without downtime. Recommended for routine key rotation.

Rate Limits

Endpoint Type	Rate Limit
Helper/search endpoints	1,200 requests/minute
Lodgement/status endpoints	600 requests/minute

Legacy Authentication (V1)

The previous authentication methods (Standard API Key via X-Auth-BAPI header, OAuth 2.0 Personal Access Tokens, and Publishable Tokens) continue to work on V1 endpoints. We recommend migrating to V2 API Keys for a simpler, more secure authentication experience.

`testTransmissionIndicator` is not supported on V2

V1 endpoints accepted a testTransmissionIndicator field in the request body to switch between live and test environments. This field has no effect on V2 endpoints. In V2, the environment is determined entirely by your API key prefix and the URL you call — use a bapi_*_test_* key with https://businessapi.com.au/api/test/v2/ for testing.