Authentication

Managed credentials first, sandbox OAuth where explicitly supported.

Production integrations should assume managed credentials issued through DutyClaims partner onboarding. Sandbox OAuth client credentials exist to support partner testing, not to hide the production credential model.

Production

Managed credentials

Most routes accept the managed credential in the `Authorization` header. Some integrations can also send `X-API-Key` directly where documented.

curl https://api.dutyclaims.com/v1/clients \
  -H "Authorization: Bearer dcp_live_replace_me"

curl https://api.dutyclaims.com/v1/claims/status?claimId=clm_123 \
  -H "X-API-Key: dcp_live_replace_me"

Sandbox Only

Sandbox OAuth client credentials

The sandbox token endpoint issues opaque bearer tokens for approved sandbox partner clients only. Production access is still managed-credential centric.

curl -X POST https://api.dutyclaims.com/v1/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=dc_client_id&client_secret=dc_client_secret"

The current auth semantics are also present in the live contract at https://api.dutyclaims.com/v1/docs/openapi.

Current scope vocabulary

Scope	Meaning
`partner.read`	Read access to the corresponding partner surface.
`partner.manage`	Capability-gated workflow permission enforced by the API.
`clients.read`	Read access to the corresponding partner surface.
`clients.write`	Write access to the corresponding partner surface.
`authority.read`	Read access to the corresponding partner surface.
`authority.write`	Write access to the corresponding partner surface.
`revenue.read`	Read access to the corresponding partner surface.
`webhooks.read`	Read access to the corresponding partner surface.
`webhooks.write`	Write access to the corresponding partner surface.
`diligence.read`	Read access to the corresponding partner surface.
`diligence.submit`	Write access to the corresponding partner surface.
`financing.request`	Capability-gated workflow permission enforced by the API.
`litigation.enroll`	Capability-gated workflow permission enforced by the API.
`notifications.read`	Read access to the corresponding partner surface.
`notifications.write`	Write access to the corresponding partner surface.

Operational rules

Do not treat sandbox OAuth availability as proof that the same flow is enabled for production tenants.
Rotate managed credentials when partner ownership or environment state changes.
Honor 401, 403, and 429 problem responses instead of retrying blindly.
Keep partner capability state aligned with the scopes you request and the routes you call.