Authentication & Concepts
This page covers the shared concepts required for every DigiKey API integration: OAuth 2.0 authentication, required headers, rate limits, and error handling.
OAuth 2.0
All DigiKey APIs require an OAuth 2.0 bearer token on every request:
Authorization: Bearer <access_token>
There are two supported flows. Which one you need depends on the API.
2-legged flow (Client Credentials)
Use this flow for server-to-server requests where no user is involved. It returns a token that represents your application, not a specific user.
When to use: Product Information v4, Order Status v4, Supply Chain v1, Reference APIs.
Token request:
POST https://api.digikey.com/v1/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Token response:
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 1800
}
The access token expires in 1800 seconds (30 minutes). Request a new one before it expires.
3-legged flow (Authorization Code)
Use this flow when the API requires access to a specific user's account data. The user must log in to DigiKey and grant permission.
When to use: Quotes v4, Ordering v3, Order Management v1, MyLists v1, Barcode v3, Packing List v1, Product Change Notifications.
Step 1 — Redirect the user to the authorization endpoint:
https://api.digikey.com/v1/oauth2/authorize
?client_id=YOUR_CLIENT_ID
&response_type=code
&redirect_uri=YOUR_REDIRECT_URI
&state=RANDOM_STATE_VALUE
Step 2 — Exchange the authorization code for a token:
POST https://api.digikey.com/v1/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=AUTHORIZATION_CODE
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&redirect_uri=YOUR_REDIRECT_URI
Token response:
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "def502008a3f..."
}
Step 3 — Refresh the access token:
When the access token expires, use the refresh token to get a new one without requiring user interaction again:
POST https://api.digikey.com/v1/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=YOUR_REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
| Token | Lifetime |
|---|---|
| Authorization code | 10 minutes |
| Access token (3-legged) | 60 minutes |
| Refresh token | 30 days |
| Access token (2-legged) | 30 minutes |
The
expires_infield in the token response is authoritative. These values may change; always read from the response.
Required headers
Every API request requires these two headers:
| Header | Value | Notes |
|---|---|---|
Authorization |
Bearer <access_token> |
Required on all requests |
X-DIGIKEY-Client-Id |
Your Client ID | Required on all requests |
Most endpoints that accept a request body also require:
| Header | Value |
|---|---|
Content-Type |
application/json |
TLS
All connections must use TLS 1.2 or higher. HTTP connections are not accepted.
Rate limits
Rate limits apply per API product subscription.
| Limit type | Default |
|---|---|
| Burst | 120 requests per minute |
| Daily | Varies by subscription tier |
Rate limit headers are included in every response:
| Header | Description |
|---|---|
X-RateLimit-Limit |
Maximum requests allowed per day |
X-RateLimit-Remaining |
Requests remaining today |
X-RateLimit-Reset |
Unix timestamp when the daily limit resets |
X-BurstLimit-Limit |
Maximum requests per minute |
X-BurstLimit-Remaining |
Requests remaining this minute |
X-BurstLimit-Reset |
Seconds until the burst window resets |
When a limit is exceeded, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait.
HTTP status codes
DigiKey APIs use standard HTTP status codes.
| Code | Meaning |
|---|---|
200 OK |
Request succeeded |
201 Created |
Resource created successfully |
204 No Content |
Request succeeded, no body returned |
400 Bad Request |
Invalid parameter or malformed request body |
401 Unauthorized |
Missing, expired, or invalid access token |
403 Forbidden |
Valid token but insufficient permissions, or API not subscribed |
404 Not Found |
Requested resource does not exist |
405 Method Not Allowed |
HTTP method not supported for this endpoint |
429 Too Many Requests |
Rate limit exceeded; check Retry-After header |
500 Internal Server Error |
Server-side error; retry the request |
503 Service Unavailable |
API temporarily unavailable |
Standard error response body
{
"ErrorResponseVersion": "3.0.0.0",
"StatusCode": 400,
"ErrorMessage": "Bad Request",
"ErrorDetails": "The parameter 'Keywords' is required.",
"RequestId": "fa3e4d88-bfc4-4565-c6d5-a567633c091b",
"ValidationErrors": [
{
"Field": "Keywords",
"Message": "The Keywords field is required."
}
]
}
Include RequestId in any support requests.
Environments
| Environment | Base URL |
|---|---|
| Production | https://api.digikey.com |
| Sandbox | https://sandbox-api.digikey.com |
The sandbox uses the same authentication flow as production. Sandbox product searches return example data rather than live inventory.
Credentials security
- Client ID identifies your application and is safe to include in headers.
- Client Secret must be kept private. Never include it in client-side code or commit it to version control.
- Store secrets in environment variables or a secrets manager.
- Use a development or test application for testing; reserve your production application for production traffic.