Authentication and Regions
Two things have to be correct before any integration will behave predictably:
- the base API host and path
- the authentication headers
Most early integration failures come from getting one of them wrong.
Regions and base URLs
Choose the API base URL for the region where the SpotDraft workspace is provisioned. Keep API calls, webhook configuration, and embedded flows in the same region.
| Region | API base URL |
|---|---|
| India | https://api.in.spotdraft.com/api/ |
| United States | https://api.us.spotdraft.com/api/ |
| Middle East | https://api.me.spotdraft.com/api/ |
| European Union | https://api.eu.spotdraft.com/api/ |
When you combine the base URL with a public endpoint path, avoid adding a second /api segment. For example:
https://api.in.spotdraft.com/api/v2.1/public/contract_types/
Versioned public paths
The backend exposes versioned public routes under paths like:
/api/v2/public/.../api/v2.1/public/...
Always use https:// and validate the exact regional host for your workspace before debugging request behavior.
Authentication headers
Server-to-server access uses header-based credentials.
| Header | Required | Purpose |
|---|---|---|
client-id | Yes | Public identifier for the API credential |
client-secret | Yes | Secret paired with the API credential |
user-email | No | Acts on behalf of an active workspace member |
If you omit user-email, the request runs in API-credential context.
Recommended request shape
client-id: YOUR_CLIENT_ID
client-secret: YOUR_CLIENT_SECRET
Accept: application/json
Only add user-email when you intentionally need user-context behavior and the target user is active in that workspace.
Redirect-safe client behavior
The most common causes of unexpected redirects are:
- using
http://instead ofhttps:// - a trailing slash mismatch between your request path and the documented path
Some HTTP clients follow redirects by changing the method or dropping the body. While debugging, disable redirect following and fix the URL directly.
response = requests.post(
url,
json=payload,
headers=headers,
allow_redirects=False,
timeout=30,
)
if response.is_redirect:
raise RuntimeError(
f"Unexpected redirect {response.status_code} -> {response.headers.get('Location')}"
)
Practical rules
- generate credentials in the workspace that owns the integration
- do not assume UAT credentials work in production
- keep host selection and credential selection coupled in deployment configuration
- log the exact host and path you called when debugging environment-specific issues
Related
- Use Quickstart for the first successful request.
- Use Environments for UAT-versus-production operating rules.
- Use Errors and Redirects for hardened client handling.