Get started
Authentication
Every request is authenticated with a workspace-scoped bearer token.
API keys
Create keys in the app under Access & tokens (Admin only). A key inherits the permissions of the account tier it's issued under — User, Staff, or Admin — so a User key can never reach billing or admin resources.
Sending the token
Pass your key as a bearer token in the Authorization header:
Scopes & tiers
Keeping keys safe
Keys are secrets. Store them in environment variables, never in client code or version control. Rotate a key immediately if it may have been exposed — old keys can be revoked from the same screen without downtime for others.
All API traffic must use HTTPS. Requests over plain HTTP are rejected. Never put a key in a URL query string.