Authentication
API keys, scopes, rotation, and security best practices.
All API requests require a Bearer token:
Authorization: Bearer sk_live_YOUR_KEYKey Format
Keys use the format sk_live_ followed by 48 hex characters (56 total).
Scopes
| Scope | Access |
|---|---|
generate | Create jobs, generate identities, tabular parse & generate |
read | List forms, view jobs, download output, tabular status & download |
account | View credit balance and usage statistics |
Default: new keys have all three scopes. A key without the required scope gets 403 Forbidden.
Key Lifecycle
Create
Create keys in Account > API Keys. The raw key is shown once — copy it immediately.
Rotate
Rotation creates a new key and revokes the old one atomically. No downtime.
Revoke
Revoked keys return 401 immediately. Cannot be undone.
Security Best Practices
- Never commit keys to source control. Use environment variables or a secrets manager.
- Use separate keys per environment (dev, staging, production).
- Limit scopes to what each key needs.
- Rotate regularly — monthly or quarterly.
- Revoke immediately if a key is exposed.