API Authentication

Authenticate Business API requests with a Bearer API key

Send the API key in the standard Authorization header:

Authorization: Bearer sk-your-api-key

Key practices

  • Use API keys only from trusted server environments.
  • Create separate keys for production, staging, and individual integrations.
  • Revoke a key immediately when it may have been exposed.
  • Do not include keys in URLs, logs, analytics events, screenshots, or support messages.
  • A canceled Business subscription remains usable until its current paid period ends. Existing keys stop authorizing API requests after that date.

Missing, malformed, inactive, and invalid keys return HTTP 401. A valid key without an active Business subscription returns HTTP 403.

On this page