Authentication
Every request to the developer API must carry an API key in the Authorization header as a Bearer token.
Authorization: Bearer sg_live_3f9aK2pLqWzXyR7vT1mN8cD4Creating an API key
- Sign in to your Commercial Units dashboard.
- Go to Settings → Developer.
- Click Create API key, give it a label (e.g. "Company website"), and create it.
- Copy the key now. It is shown once, at creation time, and never again.
Store it securely. We only keep a hash of your key — we cannot show it to you again, and we cannot recover it. Treat it like a password: keep it in a secret manager or server-side environment variable, never commit it to a public repo, and never expose a
livekey in client-side code you don't control. If a key is lost or leaked, revoke it in Settings → Developer and create a new one.
You can hold multiple keys at once (e.g. one per website, or one to rotate in while retiring another). Revoking a key takes effect immediately.
The key format: country-prefixed
Keys look like this:
sg_live_3f9aK2pLqWzXyR7vT1mN8cD4
└┘ └──┘ └──────────────────────┘
│ │ └─ the secret (random, opaque)
│ └────────────── environment: always "live"
└────────────────── country prefix (lowercase country code)The country prefix is the lowercase Commercial Units country code for the country your organisation operates in. The prefix is meaningful — it routes the request to that country's API and data. A sg_live_… key only ever sees Singapore listings; a my_live_… key only ever sees Malaysia listings.
| Prefix | Country | Prefix | Country |
|---|---|---|---|
sg_ | Singapore | us_ | United States |
my_ | Malaysia | ca_ | Canada |
uk_ | United Kingdom | au_ | Australia |
in_ | India | nz_ | New Zealand |
If you operate in more than one country, create one key per country from the dashboard for that country's account. There is no single "all-countries" key — per-country isolation is by design.
Sending the key
Pass the key as a Bearer token on every request:
curl https://api.commercialunits.com/v1/listings \
-H "Authorization: Bearer sg_live_3f9aK2pLqWzXyR7vT1mN8cD4"fetch('https://api.commercialunits.com/v1/listings', {
headers: { Authorization: 'Bearer sg_live_3f9aK2pLqWzXyR7vT1mN8cD4' },
});What can go wrong
| Status | Meaning | Fix |
|---|---|---|
401 Unauthorized | Missing, malformed, revoked, or unknown key | Check the header is Authorization: Bearer <key> and the key is current |
403 Forbidden | Key is valid but the request's Origin isn't on your allow-list | Add your site's origin in Settings → Developer (see CORS & Embedding) |
See Rate Limits & Errors for the full error reference.