Authentication

API Keys

Create and use API keys for server-to-server requests.

Modified at Apr 28, 2026, 05:38 AM UTC

Create API keys from the dashboard under API Keys. The full secret is shown once after creation, so store it in a secret manager or server environment variable before leaving the page.

Use a separate key for each integration or deployment environment. Separate keys make rotation easier and keep access easier to audit.

Expiration

An API key can have an expiration date. If no expiration date is set, the key remains usable until it is disabled or deleted from the dashboard.

What You Can Inspect

The key detail page shows the key status, masked secret, expiry, last-used time, webhook URL, and saved permissions. Use this page to confirm what a key can access before debugging an integration.

Key Format

API keys are sent as a single Bearer token:

Authorization: Bearer <api_key>

The full key value is secret. Treat it like a password.

Request Header

Send the API key through the Authorization header:

Authorization: Bearer <api_key>Accept: application/json

For endpoints with a JSON body, include:

Content-Type: application/json

Permissions

See which permissions an API key can use and what each permission unlocks.