Authentication

The Inboxroad Contacts API is authenticated using the API token you obtain from Obtain API token.

Authentication header

The Contacts API only accepts authentication through the X-API-Key header.

Send your API token with every request:

curl -X GET 'https://webapi.inboxroad.com/api/v2/contacts-lists/' \
  -H 'X-API-Key: <your_token>' \
  -H 'Content-Type: application/json'

Note

The Contacts API only supports the X-API-Key header.

The Authorization: Basic <token> format supported by the Sending API is not supported here.

Error responses

Status code	Description
401	Missing or invalid X-API-Key, or the token is not linked to a customer profile.
429	Rate limit exceeded. See Rate limiting.

Rate limiting

Contacts API endpoints are rate limited per API key.

Each API key is limited to:

• 60 requests per minute

Every response includes headers that show your current rate limit usage:

Header	Description
X-RateLimit-Limit	Maximum number of requests allowed in the current window.
X-RateLimit-Remaining	Remaining requests available in the current window.
X-RateLimit-Reset	Number of seconds until the rate limit window resets.

If the limit is exceeded, the API returns:

HTTP/1.1 429 Too Many Requests
Retry-After: 23
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 23

The Retry-After header indicates how many seconds you should wait before retrying the request.

Tip

We recommend implementing retry or backoff logic in your integration.

When you receive a 429 Too Many Requests response, wait the number of seconds specified in the Retry-After header before sending another request.