Authentication

All API requests authenticate with a bearer token. Send your API key in the Authorization header on every request.

Authorization: Bearer sk_live_replace_me

Keep secrets out of source control

Treat API keys like passwords. Never commit them — use environment variables, a secrets manager, or your platform’s built-in vault.

Key types

Prefix	Environment	Notes
sk_live_	Production	Acts on real data. Rotate immediately if leaked.
sk_test_	Sandbox	Safe for development. Data is isolated from production.

Rotating a key

1. Create a new key in Settings → API keys.
2. Deploy the new key to your application.
3. Revoke the old key once traffic has migrated.

Scoping

Restrict what a key can do by assigning scopes at creation time — for example, widgets:read for a read-only integration. Requests using a key without the required scope receive a 403 Forbidden response.

Tip

Customize this page with your own auth model — OAuth, SSO, signed webhooks, or per-user tokens — whatever your product supports.