Authentication
Authentication
All requests to the Funnel Customer APIs must be authenticated using an API key issued for your customer account. Keys are scoped and configured by Funnel, and may include customer-specific settings such as listing display preferences.
To request API access, contact your Funnel customer service representative. Funnel issues API keys on request and configures them based on your intended use.
What to include in your request
Providing the details below helps us issue the right key the first time and avoid delays:
- Your customer account name and primary technical contact
- Where the integration will run (server-side service, internal tool, website, etc.)
- Whether the key needs to be used in a browser or other client-side environment
- Any listing display requirements (for example, whether full addresses may be shown)
- Expected volume and synchronization patterns (scheduled sync, near real-time, etc.)
Authorized use
Public vs private keys
Your representative will help determine whether you need a public key or a private key based on where the key will be used and the sensitivity of the data returned.
| Key type | Intended use | Security expectations |
|---|---|---|
| Public key | Customer-owned integrations where the key may be exposed in a client-side environment (for example, a public website). | Treat as less sensitive. Use only when necessary. Do not use to access sensitive fields or internal-only data. |
| Private key | Server-to-server integrations, internal services, scheduled synchronization jobs, and back-office tools. | Must be kept secret and stored in a secure secret-management system. Never embed in client-side code. |
Client-side usage
Funnel Customer APIs use HTTP Basic Authentication. The username is your API key and the password is blank. Requests must be made over HTTPS.
For protocol details, see HTTP Basic Authentication.
Example requests
| curl --user YOUR_API_KEY: https://api.funnelleasing.com/api/v2/onlineleasing-link/ |
Common authentication responses
| Status | Meaning | What to check |
|---|---|---|
200 OK | Authentication succeeded. | Proceed with your integration and implement retries/backoff for transient failures. |
401 Unauthorized | Missing or invalid credentials. | Verify the API key, ensure Basic Auth is set, and confirm the password is blank. |
403 Forbidden | Credentials are valid, but access is not permitted for this resource. | Confirm your key type (public/private), permissions, and any account-level restrictions. |
Treat API keys as privileged credentials. The practices below help prevent accidental exposure and reduce the blast radius if a key is compromised.
Recommended | Avoid |
|---|---|
| Store API keys in a secret manager (or an encrypted environment variable system) and load them at runtime. | Do not commit keys to source control, logs, support tickets, or documentation. |
| Use private keys for server-to-server integrations and keep them off client devices. | Do not embed private keys in browser code, mobile apps, or downloadable binaries. |
| Limit distribution: issue the minimum number of keys needed and retire keys that are no longer in use. | Do not reuse a single key across unrelated systems or teams without access controls. |
| Rotate keys on a regular schedule aligned with your security requirements, and rotate immediately after any suspected exposure. | — |
| Monitor for unexpected usage patterns and alert on anomalies (for example, sudden volume spikes or traffic from unknown environments). | — |
If a key is exposed
Some listing display behaviors are configured at the API key level. If you need different display behavior across multiple integrations, you may require more than one key.
Location visibility
| Option | Description |
|---|---|
Full address visibility default | Full address and location details are returned for listings accessed with this key. |
| Street-only visibility | Street and cross-street information is returned, but building numbers are hidden. |
Neighborhood only Legacy | Legacy option. Neighborhood may be returned while address and street details are hidden. Not recommended for new integrations. |
Legacy option
Additional display options
| Option | Description | Default |
|---|---|---|
| Hide unit number | Unit numbers are blank when enabled. | False |
| Include broker info | Includes broker-oriented fields intended for internal use (for example, access instructions, commission structure, and open house scheduling details where applicable). | False |
Broker information
If you do not see your question here, contact support@funnelleasing.com.
Rotate the API key immediately.
Investigate the source of exposure (e.g., repositories, CI logs, client-side code). If you need assistance rotating the key or reviewing access patterns, contact support@funnelleasing.com.
If you believe the key was used by an unauthorized party, include approximate timestamps and any relevant request identifiers when you contact support.
API keys are typically long-lived. If your organization requires periodic rotation, contact your customer service representative or support to coordinate key rotation and ensure continuity for production integrations.
Follow your organization’s security policy. Many teams rotate every 90 to 365 days, and rotate immediately after any suspected exposure. If you need help planning rotation for multiple services or environments, contact support.
Yes. Some teams use separate keys for different environments (for example, staging vs production) or to apply different key-level display settings. Contact your representative to discuss key provisioning.