API Reference

Authentication

Every authenticated endpoint takes a single Bearer token. Keys are scoped per-plan, hashed at rest, and rotatable without downtime.

Header format

Authorization: Bearer sk_free_vnZms-u7ddCsDkhWlSEw5ZU0pCKfVq4FQDeQvIPWbww

Missing or malformed → 401 UNAUTHORIZED. Revoked keys also return 401 — never a 403.

Key prefixes

sk_free_Free500 calls / month, 10/min. All tools, JSON responses, community support.
sk_live_Builder50,000 calls / month, 120/min. Coming soon.
sk_wl_TeamUnlimited calls, 600/min, white-label embedding. Coming soon.

Lifecycle

  • Created at Dashboard → API Keys. The full value is shown once at creation. We store only a SHA-256 hash.
  • Rotation: creates a new key with the same label, revokes the old one in the same transaction. Old key returns 401 immediately on the next call.
  • Revocation: soft-delete (sets revokedAt). Usage logs are kept for audit and billing.
  • Free plan limit: up to 3 active keys per account.

Security model

  • Keys are 32 bytes of cryptographic randomness, base64url-encoded with a tier prefix.
  • Stored as SHA-256 hash. We never log the plaintext; incoming requests are hashed and compared in constant time.
  • The dashboard displays a 4-char head / 4-char tail preview( sk_free_AbCd…WxYz) so you can identify which key is which without exposing the full value.
  • Send keys over HTTPS only. The local-dev URL is HTTP; never use a production key against localhost.

If a key leaks

  1. Revoke immediately from the dashboard.
  2. Generate a new key.
  3. Check usage stats for unfamiliar activity in the last 30 days.

Next