Skip to main content

Using GraphQL


Our API is built using GraphQL. If you are new to GraphQL, please learn more about it here.

GraphQL Clients

Most developers interact with GraphQL using a preferred client as opposed to hand-crafting requests.

Here are a few clients:

The GraphQL endpoint for all requests:

Direct HTTP Access

Our API can also be directly accessed via HTTP. You can use GET and POST requests to perform operations.

JSON Response Format

All requests return results in JSON format.

Most request will contain the base form:

"data": { ... },
"errors": [ ... ]

Common Issues


​ Our API authenticates requests using an API Key and User ID.

For each request, your User ID and API key must be sent as a base64-encoded string in the Authorization header. Curri uses HTTP Basic Auth​ headers.

Continue below for more info on authenticating your API requests.


Please treat your API Key as you would a password. We suggest storing it in a secure vault or environment variable to be used by your server. Do not expose your API key in client-side, customer-facing code.

Send base64-encoded User ID & API key in Authorization header

​ Simply base64-encode a string with your User ID and API Key joined with a colon (:). ​ Example header:

Authorization: `Basic ${base64encode(userId + ':' + apiKey)}`

Full NodeJS example:

const userID = `<YOUR USER ID>`
const apiKey = '<YOUR API KEY>'
const authToken = btoa(userId + ':' + apiKey)
const authHeader = 'Basic ' + authToken

fetch('', {
headers: {
'accept': 'application/json',
'authorization': authHeader,
'content-type': 'application/json',
body: JSON.stringify({
query: `
query {
currentUser {
variables: {},
method: 'POST',

Paste the code above into the console of your web browser. If everything is configured correctly, you should see the Curri API returning both your user ID as well as your email address.

Common Pitfalls

  • You're using the API key directly in your headers and not a Base-64 encoded interpolation of your user ID + a colon + your API key
  • You're not targeting the correct URL (
  • Your authentication headers are not perfectly formatted (spaces and capitalization matter!)