Authentication
Public API requests use Developer API keys.Create an API key
Create an API key from Developer API in the user menu. The full key is shown only once. Store it like a password. API keys use this shape:Send the key
Send the key as a Bearer token:Scopes
Each API key carries scopes that bound what it can do:| Scope | Allows |
|---|---|
read | List and read subscriptions; call the analytics and audit endpoints |
write | Everything read allows, plus create, update, cancel, pause, resume, and delete |
read is always present. By default a new key is granted both read and write. To create a read-only key — useful for analysis agents that should never modify data — pass a scopes array when creating the key:
403 insufficient_scope. The created key object includes its scopes.
Failed authentication limits
Invalid API key attempts are rate-limited per client identity. The default limit is:API_FAILED_AUTH_RATE_LIMIT_PER_HOUR to override the default.
Security notes
- Do not expose API keys in browser code.
- Treat API keys like passwords.
- Revoke keys that are no longer needed.
- Use one key per integration where possible.
- Rotate keys if a secret may have been copied into logs or prompts.