Authentication

All API requests must include an Authorization header with a Bearer token.

Authorization: Bearer pk_live_7c7a680e4e3f02138d7f9a284210852f00ce492d

API keys

API keys are workspace-scoped credentials in the format pk_live_<40 hex chars>. Created in Settings → API Keys, they never expire unless revoked.

Caution

API keys are shown once only at creation time. The server stores only a SHA-256 hash. If you lose a key, revoke it and create a new one.

Permissions

API keys inherit the permissions of the workspace they belong to. Creating and revoking keys requires the admin role. A key cannot create or revoke other keys.

Security best practices

• Store keys in environment variables or a secrets manager — never in source code or git
• Use separate keys per integration and environment
• Rotate keys periodically
• Revoke immediately if compromised