Authentication

All API requests are authenticated with a bearer token sent in the Authorization header.

API key format

API keys are prefixed to indicate their type:

PrefixType
sk_live_Live key — use in production
sk_test_Test key — identical behavior, flagged separately in usage logs

Both key types screen against the same live data. Test keys are useful during integration to keep test traffic separated in your usage logs.

Authorization header

Pass your key as a bearer token:

Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Missing or malformed headers return 401 unauthorized. Revoked or invalid keys return the same error — no distinction is made to prevent enumeration.

Plan access

API access requires a paid plan (Starter or higher). Free-tier keys return 403 forbidden with code forbidden.

{
  "error": {
    "code": "forbidden",
    "message": "Your plan does not include API access. Upgrade to Starter or higher.",
    "request_id": "req_abc123"
  }
}

Rotating keys

  1. Go to Dashboard → API Keys and create a new key.
  2. Update your application config or secrets manager with the new key.
  3. Deploy and verify traffic is flowing through the new key.
  4. Revoke the old key from the dashboard.

You can have multiple active keys simultaneously, which makes zero-downtime rotation straightforward.

Security best practices

  • Never commit API keys to source code or version control.
  • Store keys in environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.).
  • Use sk_test_ keys during development so test traffic is clearly separated.
  • Revoke keys immediately if they are exposed or compromised.
  • Create separate keys for each service or environment.