Authentication
Authentication uses API keys with Bearer auth.
Header
Authorization: Bearer <API_KEY>
Key Lifecycle
Keys are issued per client and linked to:
- Company
- Environment
- Scope permissions
- Rate limit tier
- Optional IP allowlist
- Expiry date
Keys are stored hashed in the database and can be revoked at any time.
Rejection Conditions
Requests are rejected when the key is:
- Missing
- Invalid
- Revoked
- Expired
- Not valid for the current environment
- Not allowlisted by IP