Authentication
Authentication uses API keys with Bearer auth.
Header
Authorization: Bearer <API_KEY>
API Key Constraints
API keys are company-scoped and linked to:
- Company
- Scope permissions
- Optional IP allowlist
- Optional expiry date
Keys are stored hashed in the database and can be revoked at any time.
Rejection Conditions
Requests are rejected when the key is:
- Missing
- Invalid
- Revoked
- Expired
- Not valid for the current environment
- Not allowlisted by IP