Quickstart

Get an API token, hit the sandbox to validate your integration, then point at production when you're ready.

1. Get your API token

API tokens are issued by the Delio team. Reach out to your Delio integration contact and tell us:

  • The tenant the token should belong to.
  • Whether you need a sandbox token, a production token, or both (most teams start with sandbox).
  • The team or system that will hold the token, so we can scope it appropriately.

Tokens are bearer credentials — treat them like passwords. Cycle them on a regular schedule and regenerate via the Token API — regenerating invalidates the previous value and returns a new one in the response, so update any stored credentials before issuing further requests.

2. Hit the sandbox

Every tenant has two environments:

  • Sandbox — a playground with isolated data, safe for development, end-to-end testing, and demos. URLs look like https://<tenant>.sandbox.deliowealth.com/.
  • Production — your live tenant. URLs look like https://<tenant>.deliowealth.com/.

The API surface is identical between the two. Build against sandbox, then switch the base URL once your integration is signed off.

Base URL

All API endpoints are reached via https://<tenant>.<env>.deliowealth.com/kong/core/api/gateway/{path}. Authentication uses bearer tokens in the Authorization header.

3. Make your first request

Once you have a token, a request to GET /api/users should return your tenant's users:

cURL

curl https://<tenant>.sandbox.deliowealth.com/kong/core/api/gateway/api/users \
  -H "Authorization: Bearer $DELIO_API_TOKEN"

A 200 with a paginated list of users means you're wired up. A 401 means the token isn't being sent or has been revoked; a 403 means the token is valid but lacks scope.

When you're ready to go live

When your integration is built against sandbox and you're ready to point at production:

  1. Ask the Delio team for a production token.
  2. Swap the base URL.
  3. Re-run your end-to-end smoke test against the live environment with a single low-stakes call (e.g. GET /api/users paginated to one record) to confirm credentials before broader traffic.

Treat going live as a deployment — gate it behind a config change so you can roll back without code edits.