title: Authentication description: Scoped API keys for programmatic access.
Authentication
Programmatic access to authenticated endpoints uses scoped API keys. Keys
are high-entropy tokens (sk_live_ + random) verified with a constant-time
HMAC comparison. The raw key is shown exactly once at creation and is never
stored in readable form.
Create a key
- Open Workspace → Settings → API Keys.
- Click Create key, choose a scope, and copy the secret immediately — you will not see it again.
A key has:
- A prefix (
sk_live_…) shown in the UI for identification. - A scope (least privilege — e.g.
submissions:write). - An expiry, optional.
- A revoked flag — revoke instead of deleting (the action is audit-logged).
Use a key
Send it in the Authorization header as a bearer token:
curl https://your-app.vercel.app/api/... \
-H "Authorization: Bearer sk_live_xxxxxxxxxxxx"
Security model
- Keys are validated server-side on every request; client checks are UX only.
- Verification is constant-time to prevent timing attacks.
- Keys are never logged, never returned in API responses, and never placed in URLs or query strings.
- Rotate by issuing a new key, overlapping it with the old, then revoking the old once traffic has moved.
Treat API keys like passwords. Rotate them regularly and scope them to the minimum a consumer needs.