Authentication

All API requests require authentication using an API key. API keys are scoped to your organization and provide access to all organization resources.

Creating an API Key

1. Go to your Dashboard Settings
2. Navigate to the "API Keys" section
3. Click "Create API Key"
4. Give your key a descriptive name (e.g., "Production App", "Development")
5. Set an expiration date (optional)
6. Copy the key immediately - it will only be shown once

Using Your API Key

Include your API key in the Authorization header of every request:

curl https://yourdomain.com/api/v1/auth/verify \
  -H "Authorization: Bearer api_your_key_here"

API Key Format

API keys follow this format:

• Prefix: api_
• Length: 41 characters total
• Example: api_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Verifying Your Key

Test that your API key is valid:

curl https://yourdomain.com/api/v1/auth/verify \
  -H "Authorization: Bearer api_your_key_here"

Response:

{
  "data": {
    "valid": true,
    "organization": {
      "id": "uuid",
      "name": "Your Organization",
      "tier": "creator"
    },
    "user": {
      "id": "uuid",
      "name": "John Doe",
      "email": "john@example.com"
    }
  }
}

Security Best Practices

1. Never expose API keys in client-side code - API keys should only be used server-side
2. Use environment variables - Store keys in environment variables, not in code
3. Rotate keys regularly - Create new keys periodically and revoke old ones
4. Set expiration dates - Use key expiration for additional security
5. Use separate keys for development and production - This allows you to revoke dev keys without affecting production

Error Responses

Revoking Keys

To revoke an API key:

1. Go to your Dashboard Settings
2. Find the key in the "API Keys" section
3. Click the delete/revoke button
4. Confirm the action

Revoked keys immediately stop working for all requests.