Skip to main content
All requests authenticate via the Authorization: Bearer <key> header.

Key formats

Keys are shown once at creation and stored as a SHA-256 hash. Lose it = rotate it.

Scopes (optional)

By default a key inherits the role of the user who created it. You can narrow a key’s blast radius: Set scopes when creating a key via the dashboard. Empty scopes = full access (default).

Rotation

Revocation is immediate. Subsequent requests with the revoked key get 401 invalid_api_key.

IP allowlist (Enterprise)

Restrict a key to a list of CIDR ranges:
Requests outside the allowlist return 403 ip_not_allowed.

What happens when auth fails