Authentication
All API requests must be authenticated using an API key. Authentication ensures secure access to your workspace data and approval workflows.
⚠️ This documentation applies to the Staging environment.
🔐 Authentication Method
We use Bearer Token authentication.
Include your API key in the
header of every request:Authorization
Authorization: Bearer YOUR_API_KEY
Example Request
GET /v2/approvals HTTP/1.1
Host: api.staging.yourcompany.com
Authorization: Bearer sk_test_123456789
Content-Type: application/json
🔑 Generating an API Key
- Log in to your dashboard
- Navigate to Settings → API Keys
- Click Generate New Key
- Copy and securely store your key
⚠️ For security reasons, API keys are shown only once.
🏷 API Key Types
Key TypeDescription
Staging Key
Used for testing and development
Production Key
Used for live environment requests
Read-Only Key
Access limited to GET endpoints
🔄 Rotating API Keys
We recommend rotating your API keys periodically:
- Generate a new key
- Update your application configuration
- Revoke the old key
❌ Authentication Errors
If authentication fails, the API returns:
401 Unauthorized
{
"error": "invalid_api_key",
"message": "The provided API key is invalid or expired."
}
Common Causes
- Missing
headerAuthorization - Expired or revoked key
- Incorrect key format
- Using production key in staging (or vice versa)
🔒 Security Best Practices
- Never expose API keys in frontend code
- Store keys in environment variables
- Use HTTPS for all requests
- Rotate keys regularly
- Restrict access using role-based permissions
📌 Rate Limits
Authenticated requests are subject to rate limits:
- Staging: 500 requests per minute
- Production: 1,000 requests per minute
If exceeded, the API returns:
429 Too Many Requests