Authentication

The developer API uses bearer tokens. You create a token once from your dashboard, then send it on every request.

Generate a token

1. Sign in to your dashboard and go to Settings → Developer (/settings/developer).
2. Click Create token, give it a name so you can recognize it later, and select its scopes.
3. Copy the generated token immediately — it is shown only once. Only a short hint (its leading characters) is stored afterward, so the full value can never be retrieved again.

Store it securely

Treat the token like a password. Anyone with it can call the API as your organization. If you lose it, revoke it and generate a new one.

Requirements

Creating and using tokens requires your organization to be on a qualifying plan (Enterprise by default). See Requirements.

Token format

Every token starts with a short platform prefix, followed by 40 random characters:

acme_nUq7Y…40 characters…0fA2

The prefix lets secret scanners (e.g. GitHub) flag the credential if it is ever leaked.

Use the token

Send the token in the Authorization header as a bearer token:

curl https://your-app.com/api/v1/me \
  -H "Authorization: Bearer YOUR_TOKEN"

Scopes

A token is granted one or more scopes, and each endpoint requires a specific scope.

Scope	Grants
read_user	Read the authenticated user’s profile (GET /v1/me).

A request made with a token that lacks the required scope returns 403 Forbidden.

Rate limits

Each token has a monthly request limit (1,000 requests per month by default). Exceeding it returns 429 Too Many Requests with a Retry-After header. See Rate limits.

Revoke a token

Revoke a token at any time from Settings → Developer. Revoked tokens are rejected immediately.