Frequently Asked Questions
Authentication
I'm getting 401 with "The Bearer token is invalid". What's wrong?
This error means the access token is missing, malformed, expired, or from the wrong environment. Steps to fix:
- Confirm you're sending the token as
Authorization: Bearer <token>. - Check that you're also sending
X-DIGIKEY-Client-Id: <your_client_id>. - If the token has expired, request a new one. 2-legged tokens expire in 30 minutes; 3-legged tokens expire in 60 minutes.
- Verify you're using the production token (
api.digikey.com) and not a sandbox token, or vice versa.
What are the token expiration times?
| Token | Lifetime |
|---|---|
| Authorization code (3-legged) | 10 minutes |
| Access token — 2-legged | 30 minutes |
| Access token — 3-legged | 60 minutes |
| Refresh token | 30 days |
Always read expires_in from the token response. These values may change.
When should I use 2-legged vs. 3-legged OAuth?
2-legged (Client Credentials): Server-to-server requests that do not need a specific user's data. Product search, product details, order status lookup with Shared=true, associated accounts.
3-legged (Authorization Code): Any operation tied to a user account: placing orders, managing lists, retrieving quotes, accessing packing lists and barcodes.
My redirect URI is not working during the authorization flow.
The redirect URI in your authorization request must match exactly what is registered in your application settings at developer.digikey.com/user/apps. This includes the scheme, host, port, and path. A trailing slash matters.
Allowable for local development: http://localhost:PORT/
Can I use a loopback URI for a CLI or desktop app?
Yes. Register http://localhost:PORT/ (e.g. http://localhost:8080/callback) in your app settings and start a local HTTP listener to capture the authorization code.
Rate limits
I'm getting 429 Too Many Requests. How do I fix it?
Read the Retry-After header in the response. It contains the number of seconds to wait before retrying. The burst limit is 120 requests per minute. A daily limit also applies per subscription.
Best practices:
- Cache product detail responses where the data does not change frequently.
- Batch keyword searches rather than making one request per part number where possible.
- Implement exponential backoff for retries.
Subscriptions and access
I get 403 Forbidden even though my token is valid.
Your application is not subscribed to that API product. Visit developer.digikey.com/products, find the product, and subscribe your application.
What does it mean that Ordering requires a credit account?
Ordering v3 (POST /Orders) requires your DigiKey account to have an approved credit line. If your account is a standard e-commerce account, orders placed through the API will fail at the time of submission. Contact DigiKey to inquire about credit account setup.
Environments
Is there a sandbox I can test against?
Yes. Use https://sandbox-api.digikey.com instead of https://api.digikey.com. The sandbox uses the same authentication endpoints. Product searches return example data; actual inventory and ordering are not available.
Part numbers
What do DigiKey part numbers look like?
DigiKey part numbers (SKUs) typically end in -ND. Examples: 311-10.0KHRCT-ND, 497-6063-ND. Manufacturer part numbers are separate (e.g. STM32F103C8T6). The keyword search API accepts both.
How do I find a category or manufacturer ID for filtering?
The most reliable approach: run a keyword search with no filters, then read the FilterOptions object in the response. It contains Manufacturers, TopCategories, and ParametricFilters populated from the actual search results. Use those IDs in your filter on the next request.