Pricing and entitlement
API access is gated by the ApiAccess subscription feature. It is included with the Enterprise plan, and available as a paid add-on on every other tier. Calls authenticated by an API key against a company without ApiAccess return HTTP 402 with code: "API_ACCESS_NOT_ENABLED" before they reach a controller.
This page is the authoritative source for which plan a partner’s customer needs. Marketing pages (locco.hr/cijene) describe the tiers in human terms; the matrix below is what the runtime enforces.
The rule
ApiAccessis included on the Enterprise plan.- On every other tier,
ApiAccessis available as a paid add-on. Without the add-on, requests are rejected with 402. - The check runs once per request, after authentication and after the
X-Company-Idheader has been resolved to a target company. A request that passes the gate consumes a slot in the rate-limit windows; a request that fails the gate does not.
The feature is keyed off the target company resolved from X-Company-Id, not the API key’s owning user. A user who belongs to two companies (one with ApiAccess, one without) will succeed against the entitled tenant and 402 against the other with the same key.
Tier matrix
| Plan | API access |
|---|---|
| Free | Add-on |
| Business | Add-on |
| Plus | Add-on |
| Professional | Add-on |
| Enterprise | Included |
To unlock API access, customers can either upgrade to Enterprise (which bundles ApiAccess with the rest of the tier) or add the ApiAccess add-on to their current plan. Both paths are in the locco web app under Settings → Subscription.
The 402 response
When a key hits a company that lacks ApiAccess, the partner API returns HTTP 402 with the canonical error envelope:
{ "code": "API_ACCESS_NOT_ENABLED", "type": "PaymentRequired", "title": "<localized human message>", "status": 402}code: stable. Partners filter on this string. The constant is in the error catalog.type: legacy category, kept for SPA compatibility. Do not branch on it.title: localized to the request’sAccept-Language(defaults tohr). Never parse it. The wording is not stable across releases. The actual text comes from the partner API’s resource files (SharedResource.resx/SharedResource.hr.resx).status: mirrors the HTTP status line.402 Payment Requiredis the standard code for entitlement gaps. It is the same status used industry-wide for “the credentials are valid but the plan does not include this surface.”
Content-Type is application/json. The response is short: no errors dictionary, no per-field detail. There is nothing for the partner to retry with different inputs. The only resolution is for the customer to upgrade.
Recommended partner handling
A 402 from the partner API is a customer-state error, not a transient one. Retrying the same key against the same company will keep returning 402 until the customer upgrades.
A reasonable client handler:
- On 402 with
code: "API_ACCESS_NOT_ENABLED", stop the integration’s polling loop for that company and surface a clear “this customer’s locco plan does not include API access” message in your UI or operations console. - Do not back off and retry. The window is not transient.
- If the integration spans multiple companies, isolate the gate to the failing company. Other companies on Enterprise should keep working.
For a detailed walk through every error code the partner API can emit, see the error catalog.
Related
- Authentication: bearer tokens, the
X-Company-Idheader, and key rotation. - Errors: the full catalog of stable machine-readable error codes.
- Rate limits: per-second, per-hour, and per-day caps on the Enterprise tier.