Skip to main content

API keys

Each key belongs to one team. Every request is restricted to that team’s data.

Sending the key

Send the full secret in the Authorization header using the Bearer scheme (common pattern for HTTP APIs): 
Authorization: Bearer fk_live_...
If your client or gateway cannot set Authorization, the same secret is accepted in X-Api-Key.

Key format

Keys start with fk_live_ followed by a random secret. Store the full value securely (secret manager, environment variables). Never commit keys to source control or expose them in a browser.

Missing, invalid, or revoked keys

  • No key → 401, message explains missing header.
  • Invalid key → 401.
  • Revoked key → 401.
Use error.message to distinguish; error.request_id + header X-Request-Id for support.