Base URLs
Sandbox and production are fully isolated — data and credentials never cross between them. See Environments.
Authentication
Tokens are issued from the OIDC token endpoint and sent on every request asAuthorization: Bearer <token>.
App tokens are short-lived — refresh before
expires_in elapses. See Client credentials and User token.
Rate limits
The API allows 30 requests per second. Exceeding it returns429 Too Many Requests with a Retry-After header.
Watch
RateLimit-Remaining to stay under the ceiling, and back off with exponential delays on a 429, starting from the Retry-After value. See Rate limiting.
Pagination
List endpoints use cursor-based pagination with the same contract everywhere.
Each response carries
nextPaginationToken (and prevPaginationToken). Keep requesting with the returned token until nextPaginationToken is null — that is the only stop condition. See Pagination, sorting, and filtering.