Authentication

API keys, environments, scopes, and the constraints to plan around.

Every request to the API needs a Bearer token. Keys are workspace-scoped and you can issue as many as you want — typically one per environment, per service, per teammate.

#Key format

Keys look like sk_<env>_<prefix6>_<tail32>. Send them in the Authorization header:

bash

Authorization: Bearer sk_live_a3f2b1_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

We store an Argon2id hash of the full key — the plaintext is shown exactly once on creation. Lose it and you'll need to generate a new one (revoking the old one).

#Test vs live

Two environments per workspace: test and live. They share quotas and configuration, but operate against the same backend (no "sandbox" data diverges). The split exists so you can clearly separate dev calls from production calls in usage reports and audit logs.

sk_test_* — for development; recommended for CI.
sk_live_* — for production traffic; rotate aggressively.

#Rotating keys

Issue a new key, deploy with it, then revoke the old one from the dashboard. Revocation is immediate; in-flight requests using the old key receive 401 unauthorized on the next call.

Operational hygiene

Set a calendar reminder to rotate live keys quarterly. If a key is compromised, revoke immediately — failed jobs are not billed, so revocation is safe even mid-pipeline.

#Scopes

Today every key has the same workspace-wide permissions. Per-key scopes (files:write, jobs:read, etc.) are coming — track progress on the changelog.

#Browser-side use

Never embed a live key in client-side JavaScript. Two safe patterns:

Backend proxy: your server holds the key and proxies requests for the browser.
Test keys + spend cap: for prototypes, a test key with a low monthly spend cap limits blast radius if leaked.

#Rate limits

Default: 60 requests / minute / key, burst 120. When exceeded, the API returns 429 rate_limited with a Retry-After header. Limits scale with your plan — contact sales for higher floors.