Authorization: Bearer <key> header.
Key formats
Keys are shown once at creation and stored as a SHA-256 hash. Lose it = rotate it.
Scopes (optional)
By default a key inherits the role of the user who created it. You can narrow a key’s blast radius:
Set scopes when creating a key via the dashboard. Empty
scopes = full access (default).
Rotation
401 invalid_api_key.
IP allowlist (Enterprise)
Restrict a key to a list of CIDR ranges:403 ip_not_allowed.