Authentication
Every API request requires a Bearer token scoped to your organization. Create keys in the dashboard, set the permissions you need, and include the token in every request.
How to authenticate
Add the Authorization header to every request:
Authorization: Bearer op_live_your_key_hereInvalid or missing keys return 401 INVALID_API_KEY.
Suspended organizations return 403 ORGANIZATION_SUSPENDED.
Creating API keys
Go to Dashboard → API Keys to create a new key. The full key is shown once at creation — copy it immediately. You can create multiple keys with different permissions for different integrations.
Keys are organization-scoped
Each key belongs to one organization. All jobs, credits, and rate limits are tracked per-org, not per-key. If you have multiple organizations, create separate keys for each.
Permissions
When creating a key, select the permissions your integration needs. Keys without the right permissions will receive 403 on restricted routes.
| Permission | What it grants |
|---|---|
classify:create | Create classify jobs from text or URLs. |
scan:create | Create scan and deep-scan jobs. |
jobs:read | Read job status and timing data. |
results:read | Read completed job results. |
credits:read | Read current credit balances. |
webhooks:write | Create and test webhook endpoints. |
Create only the permissions your integration actually needs. You can always create additional keys with broader access later.
Security best practices
Never commit keys to version control
Use environment variables or a secrets manager. If a key is exposed, rotate it immediately in the dashboard.
Use the narrowest permissions possible
A read-only integration should only have jobs:read, results:read, and credits:read.
Rotate keys when team members leave
Revoke old keys and create new ones. Active keys can be deleted from the dashboard at any time.
Use separate keys for separate environments
Don't share a key between staging and production. Create one key per environment so you can revoke independently.