Replenit
Replenit - Turn Every Customer Into Loyal Repeat Buyer
docs

Authentication

By Marta Szymanska
February 3, 2026

Authentication

This guide explains how to authenticate with the Replenit Ingestion API, including how to obtain and use your API Key and Tenant ID.

Overview

All Replenit API requests require:

  • A valid API Key
  • A valid Tenant ID
  • Both must belong to the same tenant

Authentication is performed via HTTP headers and path parameters.

 

API Key

All API requests must include a valid API key provided via the
x-replenit-auth-key HTTP header.

Example Request

POST /customers/{tenantId}
Host: api.replen.it
Content-Type: application/json
x-replenit-auth-key: YOUR_BASE64_API_KEY

 

Requests without a valid API key are rejected.

 

Tenant ID

Each API request is scoped to a Tenant.

The tenantId:

  • Identifies your organization in Replenit
  • Is required in all ingestion endpoints
  • Is immutable (read-only)

 

Get Your API Key

API keys are created and managed in the Replenit panel.

Steps

  1. Log in to your Replenit panel
    (Contact your Customer Success Manager if you have not received an invitation email.)
  2. Navigate to
    Settings → API Key Management
  3. Click Generate New Key
  4. Copy the generated key and store it securely
⚠️ Important
For security reasons, the API key is shown only once.
If lost or compromised, it must be revoked and regenerated.

 

Get Your Tenant ID

The Tenant ID is generated automatically when your organization is created in Replenit.

How to find your Tenant ID

  1. Log in to your Replenit panel
  2. Navigate to
    Settings → API Key Management
  3. Locate your Tenant ID displayed alongside your API keys
ℹ️ The Tenant ID cannot be edited or regenerated.

 

Secure Storage

API keys and Tenant IDs must be stored securely and must not be embedded directly in source code.

Environment Variables (Recommended)

# .env file (exclude from version control)
REPLENIT_API_KEY=your_base64_api_key_here
REPLENIT_TENANT_ID=your_tenant_id_here

 

Usage Examples

Python

import os
from dotenv import load_dotenv

load_dotenv()

API_KEY = os.getenv(“REPLENIT_API_KEY”)
TENANT_ID = os.getenv(“REPLENIT_TENANT_ID”)

 

Node.js

require(“dotenv”).config();

const API_KEY = process.env.REPLENIT_API_KEY;
const TENANT_ID = process.env.REPLENIT_TENANT_ID;

 

Best Practices

  • Never commit API keys to version control
  • Use separate API keys for development, staging, and production
  • Do not expose API keys in client-side code (browser or mobile)
  • Rotate API keys periodically
    (recommended: every 6 months)
  • Always ensure the API key and Tenant ID belong to the same tenant

 

Common Mistakes

Keys Embedded in Source Code

# Incorrect
API_KEY = “dGVzdF9hcGlfa2V5”

 

# Correct
API_KEY = os.getenv(“REPLENIT_API_KEY”)

 

Keys Committed to Version Control

Ensure the following files are excluded:

.env
config.json
secrets/

 

 Client-Side Key Exposure

Do not use API keys directly in browser or mobile applications.

Always route requests through a secure backend service.

fetch(“/api/proxy/customers”);

 

Troubleshooting

401 Unauthorized

  • x-replenit-auth-key header is missing
  • API key is incorrect or truncated
  • API key has been revoked

 

403 Forbidden

  • tenantId does not match your organization
  • API key belongs to a different tenant
  • Wrong environment (e.g. prod key used in staging)

Support

For authentication-related issues, contact:

support@replen.it

 

Back to Blog