Documentation
Authentication
All authenticated API endpoints require an API key passed via the X-API-Key header.
API Key format
All tokens follow this format:
uafm_live_<48-hex-character-string> # Production token uafm_sandbox_<48-hex-character-string> # Sandbox token
Sending the header
curl https://api.apply.org.za/v1/bursaries \
-H "X-API-Key: uafm_live_your_token_here"Error responses
401 UnauthorizedNo API key provided or key is invalid403 ForbiddenAPI key lacks the required scope for this endpoint429 Too Many RequestsRate limit exceeded — see rate limit headersKeeping keys secure
- Never expose your API key in client-side JavaScript or public repositories.
- Use environment variables to store keys (e.g.
UAFM_API_KEY). - Use sandbox tokens during development — they hit the same API but are rate-limited separately.
- Rotate keys immediately if you suspect a compromise.