Skip to content

Authentication

All API requests require authentication. There are three ways to authenticate:

Method Scenario
API Key in Authorization header Direct server connections
Token in Authorization header End-user client connections
Token in sub-protocol header Browser WebSocket connections

Warning

API keys are confidential and must never be exposed externally, for example to end-users. Do not include them in client-side code, browser requests, or mobile apps. Use tokens instead.

API Key

The simplest way to authenticate server-to-server calls. Include your API key directly in the Authorization header — no token exchange required.

Authorization: ApiKey <your_api_key>

API keys are scoped to a client and can be created and managed from the console.

Token

For client-side applications, use a short-lived access token instead of exposing your API key. Your server requests a token using the API key, then passes the token to the client.

Authorization: Bearer <your_access_token>

See the token endpoint for how to obtain an access token.

Token in Browser

Browser WebSocket APIs do not support custom headers. As an alternative, pass the access token via the Sec-WebSocket-Protocol header:

Sec-WebSocket-Protocol: bearer, <your_access_token>

In JavaScript, the browser WebSocket API sets this header automatically:

const ws = new WebSocket(url, ["bearer", accessToken]);