Guides
  1. getting started

Authentication

How to authenticate requests using your API key.

All API requests must include a valid API key in the X-API-Key header. Sandbox and production each have their own key — they are not interchangeable.

API key prefixes

EnvironmentPrefixBase URL
Sandboxsk_sbx_…https://sandbox-api.callplus.be
Productionsk_prod_…https://api.callplus.be

You receive each key when the corresponding account is provisioned. Keys are shown once — store them securely.

Same code, different config. The request and response shapes are identical across environments. To go from testing to live, swap the base URL and the API key — nothing else changes.

Making a request

curl -X POST https://api.callplus.be/api/v1/simulations \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_API_KEY" \
  -d '{
    "sourceReferenceId": "ord-2026-00041",
    "accountingFirm": {
      "name": "Example Accounting",
      "companyNumber": "0123.456.789"
    },
    "accountant": {
      "firstName": "Jean",
      "lastName": "Dupont",
      "email": "[email protected]",
      "nrn": "75.03.20-456.78"
    },
    "company": {
      "name": "Super Company",
      "companyNumber": "0987.654.321"
    },
    "companyFiscalData": {
      "vatRegistered": true,
      "socialContributionsPaidByCompany": true
    },
    "beneficiary": {
      "firstName": "Alice",
      "lastName": "Martin",
      "email": "[email protected]",
      "nrn": "85.05.15-123.45",
      "language": "FR"
    },
    "plan": {
      "referenceSalary": 50000.00,
      "benefitInKind": 12500.00,
      "type": "FULL"
    }
  }'

To send the same request against sandbox, swap the base URL to https://sandbox-api.callplus.be and the key prefix to sk_sbx_…. See Request a Call+ simulation for the full schema.

Error responses

Missing or invalid API key:

HTTP 401
{
  "success": false,
  "requestId": "...",
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key"
  }
}

Suspended account:

HTTP 403
{
  "success": false,
  "requestId": "...",
  "error": {
    "code": "FORBIDDEN",
    "message": "Tenant account is suspended"
  }
}

Security best practices

  • Never expose your API key in client-side code, public repositories, or logs.
  • Keep production and sandbox keys in separate secret stores so they can't be mixed up.
  • Rotate your key immediately if you suspect it has been compromised — contact the Call+ team.
  • Use environment variables to store keys in your application.

Updated about 1 month ago