API key types
Every account has two types of API keys:
Secret keys (sk_) must never be exposed in client-side code, browser bundles, or public repositories.
Making authenticated requests
Pass your API key as a Bearer token in the Authorization header on every request.
Scopes
Keys are issued with one or more scopes. Requests that exceed the key’s scope receive 403 Forbidden.
Managing keys
Create, rotate, and revoke keys from the Settings → API Keys page in your dashboard, or via the API keys endpoint.
Errors