title: Authentication description: Scoped API keys for programmatic access.

Authentication

Programmatic access to authenticated endpoints uses scoped API keys. Keys are high-entropy tokens (sk_live_ + random) verified with a constant-time HMAC comparison. The raw key is shown exactly once at creation and is never stored in readable form.

Create a key

  1. Open Workspace → Settings → API Keys.
  2. Click Create key, choose a scope, and copy the secret immediately — you will not see it again.

A key has:

  • A prefix (sk_live_…) shown in the UI for identification.
  • A scope (least privilege — e.g. submissions:write).
  • An expiry, optional.
  • A revoked flag — revoke instead of deleting (the action is audit-logged).

Use a key

Send it in the Authorization header as a bearer token:

curl https://your-app.vercel.app/api/... \
  -H "Authorization: Bearer sk_live_xxxxxxxxxxxx"

Security model

  • Keys are validated server-side on every request; client checks are UX only.
  • Verification is constant-time to prevent timing attacks.
  • Keys are never logged, never returned in API responses, and never placed in URLs or query strings.
  • Rotate by issuing a new key, overlapping it with the old, then revoking the old once traffic has moved.

Treat API keys like passwords. Rotate them regularly and scope them to the minimum a consumer needs.