HTTP Feed Authentication

Many product feeds require authentication. Catalogian supports multiple auth methods for HTTP sources so you can connect to protected feeds without exposing credentials.

Supported auth methods

Method	Auth type value	How it works
None	`none`	No authentication — public URL
Basic Auth	`basic`	Username + password sent as Basic header
Bearer Token	`bearer`	Token sent as Authorization: Bearer header
API Key (header)	`api_key_header`	API key sent in a custom header
API Key (query)	`api_key_query`	API key appended as a URL query parameter

Basic Auth

Send a username and password as HTTP Basic authentication:

curl -X POST https://api.catalogian.com/v1/sources \
  -H "Authorization: Bearer $CATALOGIAN_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Protected Feed",
    "type": "http",
    "url": "https://feeds.vendor.com/products.csv",
    "format": "csv",
    "keyField": "sku",
    "checkIntervalMinutes": 240,
    "authType": "basic",
    "authUsername": "catalogian",
    "authPassword": "vendor-secret"
  }'

Bearer token

If your feed requires an Authorization: Bearer header:

{
  "name": "API-Protected Feed",
  "type": "http",
  "url": "https://api.vendor.com/export/products.csv",
  "format": "csv",
  "keyField": "product_id",
  "authType": "bearer",
  "authToken": "vendor_token_abc123"
}

API key in a custom header

Some APIs require a custom header like X-API-Key:

{
  "name": "Vendor API Feed",
  "type": "http",
  "url": "https://api.vendor.com/catalog/export",
  "format": "jsonl",
  "keyField": "id",
  "authType": "api_key_header",
  "authHeaderName": "X-API-Key",
  "authHeaderValue": "vendor_key_xyz"
}

API key as a query parameter

If the feed URL expects the API key as a query string parameter:

{
  "name": "Query Auth Feed",
  "type": "http",
  "url": "https://feeds.vendor.com/products.csv",
  "format": "csv",
  "keyField": "sku",
  "authType": "api_key_query",
  "authQueryParam": "api_key",
  "authQueryValue": "vendor_key_xyz"
}

Catalogian appends the query parameter to the URL at fetch time:?api_key=vendor_key_xyz. If the URL already has query params, it appends with &.

IP allowlisting

If your feed server requires IP allowlisting, add the following Catalogian egress IPs to your allowlist. Contact [email protected] for the current IP list — it may change as infrastructure scales.

Prefer token-based auth over IP allowlisting. Token auth is more portable and doesn't break if Catalogian's infrastructure changes. Use IP allowlisting as a secondary layer, not the only auth.

Credential security

All authentication credentials (passwords, tokens, API keys) are encrypted at rest using AES-256-GCM. They are never returned in API responses after creation — you'll see a confirmation that auth is configured but not the actual values.

Need to connect via SFTP instead? SFTP Setup →