Get started

Quarzo provides a collection of APIs that enable you to integrate with our products and services. This guide will walk you through everything you need to make your first API call.

How it works

Our APIs accept and return JSON in the HTTP body and use standard HTTP response codes. You can consume them directly using any HTTP or REST library — no SDK required.

Authentication is based on signed JWTs using a certificate you generate yourself. Your private key never leaves your machine.

Glossary

The world of insurance has a rich vocabulary. We have put together a glossary to help you.

Glossary

Before you begin

You will need:

• Access to the Quarzo dashboard — request a sandbox account if you don't have one yet
• openssl installed on your machine (openssl version to verify)

Sandbox environment

The sandbox lets you test API calls without affecting live data. All resources created there are isolated and will never appear in production.

Step 1 — Download your configuration file

In the dashboard, navigate to Settings → API → Certificates and click Generate certificate.

Download the configuration file provided: quarzo_csr.conf. It is pre-filled with your account details and is valid for a single use.

Step 2 — Generate your private key and CSR

Run the following command in the same directory as the configuration file:

openssl req -new -config quarzo_csr.conf -sha512 -newkey rsa:2048 -keyout private_key.pem

OpenSSL will prompt you for a passphrase to protect your private key:

Enter PEM pass phrase: ••••••••••••••••
Verifying - Enter PEM pass phrase: ••••••••••••••••

Keep your passphrase safe

There is no way to recover it. If you lose it, you will need to generate a new certificate from scratch.

This produces two files:

File	Description
private_key.pem	Your private key. Never share or commit this file.
(stdout)	The Certificate Signing Request (CSR) printed to the terminal.

Step 3 — Submit your CSR

The terminal will print a block that looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICpDCCAYwCAQAwXzELMAkGA1UEBhMCRlIxITAfBgNVBAoMGEIgTGlmZSBIb2xk
aW5nIC0gU2FuZGJveDEtMCsGA1UEAwwkMGUyYjBhOTAtN2VjMC00Y...
-----END CERTIFICATE REQUEST-----

Copy the entire block, including the -----BEGIN----- and -----END----- lines, then paste it into the Certificate request field in the dashboard and click Submit.

Step 4 — Retrieve your thumbprint

Once the certificate is validated, the dashboard displays the x5t#S256 thumbprint — a SHA-256 fingerprint of your certificate.

x5t#S256: 3A14ZcxIaasp4RHaYReL7wevm3oDzn7ZqmgqScCMY74

You will need this value when building your JWT header.

Step 5 — Make your first request

You now have everything you need:

• ✅ A private key (private_key.pem)
• ✅ A x5t#S256 thumbprint
• ✅ A sec secret (visible in Settings → API)

Build a signed JWT and attach it as a bearer token. See the Authentication page for the exact header and payload structure, and a worked example.

GET /v1/accounts HTTP/1.1
Host: api.sandbox.quarzo-life.com
Authorization: Bearer <your-signed-jwt>

A 200 response means you're set up correctly.

Security checklist

Before going to production, make sure you have:

• [ ] Stored private_key.pem outside your source repository (use a secrets manager or environment variable)
• [ ] Added private_key.pem to your .gitignore
• [ ] Rotated to a production certificate (sandbox certificates are rejected by the production endpoint)
• [ ] Synchronized your system clock — we enforce a 5-second maximum clock skew on every request

Next steps

Authentication → Learn how to sign your JWT and structure the payload claims for each request.

Environments → Switch between the sandbox and production endpoints.

API reference → Browse all available endpoints.