Authentication
All server-to-server requests use tenant-scoped API keys.
Send the key with every request:
HTTP
X-API-Key: your-tenant-api-keyAPI key scope
API keys belong to a tenant. They can be rotated, disabled, deleted, and restricted by future permission policies.
Keep API keys on trusted backend services. Do not expose them in browsers, mobile apps, public repositories, or logs.
Expected failures
- Missing key:
401 Unauthorized - Invalid key:
401 Unauthorized - Disabled key:
401 Unauthorized - Restricted operation: authorization failure when operation-level policy is enabled
Related endpoints
GET /admin/api-keysPOST /admin/api-keysDELETE /admin/api-keys/{id}