Authentication
API keys, scopes, rate limits, and security best practices for the Renta API.
Every Renta API request requires authentication via an API key passed in the Authorization header.
Authorization: Bearer renta_sk_live_...Key Types
Renta uses two types of API keys with different access levels:
Secret Keys (renta_sk_...)
| Property | Value |
|---|---|
| Prefix | renta_sk_live_ or renta_sk_test_ |
| Access | Full API access — all endpoints |
| Scopes | read, write, admin |
| Use in | Server-side only |
Secret keys can create bookings, manage fleet items, access customer data, and perform all operations. Never expose secret keys in client-side code.
Publishable Keys (renta_pk_...)
| Property | Value |
|---|---|
| Prefix | renta_pk_live_ or renta_pk_test_ |
| Access | Storefront endpoints only |
| Scopes | storefront:read |
| Use in | Client-side (browsers, mobile apps) |
Publishable keys are designed for the Storefront API. They can browse inventory, get shop profiles, and create bookings through the storefront flow — but cannot access admin endpoints.
Passing a secret key to RentaStorefront throws RentaAuthError. The SDK enforces key type safety.
Scopes
API key scopes control what operations are permitted:
| Scope | Description | Endpoints |
|---|---|---|
read | Read-only access to all resources | GET on fleet, bookings, customers, etc. |
write | Create and modify resources | POST, PATCH, DELETE on all resources |
admin | Administrative operations | Calendar feeds, settings, staff management |
storefront:read | Public storefront access | Shop profile, inventory browsing, booking creation |
Secret keys include read + write scopes by default. Admin scope is available for keys with elevated permissions.
Environments
| Environment | Key prefix | Base URL |
|---|---|---|
| Live | renta_sk_live_, renta_pk_live_ | https://api.getrenta.io/v1 |
| Test | renta_sk_test_, renta_pk_test_ | https://api.getrenta.io/v1 |
Test keys operate on isolated test data. No real payments are processed.
Rate Limits
| Key Type | Limit | Window |
|---|---|---|
| Secret key | 1,000 requests | per minute |
| Publishable key | 100 requests | per minute |
| Test keys | 500 requests | per minute |
When rate limited, the API returns 429 Too Many Requests with a Retry-After header:
{
"error": {
"type": "rate_limit_exceeded",
"message": "Too many requests. Retry after 30 seconds.",
"retry_after": 30
}
}The SDK automatically retries rate-limited requests with exponential backoff. Set maxRetries: 0 to disable.
Multi-Tenant Context
Renta is a multi-tenant platform. Your API key is scoped to a single tenant (rental business). All operations automatically filter to your tenant — you cannot access other tenants' data.
The tenant is identified from your API key. No tenant_id parameter is needed.
Security Best Practices
- Rotate keys regularly — Generate new keys from Dashboard → Settings → API Keys
- Use environment variables — Never hardcode keys in source code
- Restrict by environment — Use test keys for development, live keys for production
- Monitor usage — Check API usage in the Dashboard for anomalies
- Use publishable keys for client-side — Never expose secret keys in browsers or mobile apps
// ✅ Correct — environment variable
const renta = new Renta({
apiKey: process.env.RENTA_API_KEY!,
});
// ❌ Wrong — hardcoded key
const renta = new Renta({
apiKey: 'renta_sk_live_abc123...',
});Error Responses
Authentication failures return 401 Unauthorized:
{
"error": {
"type": "authentication_error",
"message": "Invalid API key provided."
}
}Insufficient scope returns 403 Forbidden:
{
"error": {
"type": "authorization_error",
"message": "API key does not have the required scope: write"
}
}