Skip to main content
PermitCore’s API uses bearer-token authentication. Every request must include an Authorization: Bearer <your-key> header.

Key format

API keys are opaque strings prefixed with pk_ (production) or pk_test_ (future test mode). Treat the entire string as secret.

Header convention

The Accept header is recommended but optional — responses default to JSON.

Where to get a key

  1. Sign up at permitcore.io/signup
  2. After magic-link sign-in, visit Account → API Keys
  3. Your active key is shown once at creation — copy it then; we don’t store it in plain text after the initial display
Keys can be created either at signup (auto-issued first key) or programmatically via POST /v1/keys. Rotation is supported via DELETE /v1/keys/{prefix} followed by a fresh create.

Security best practices

  • Never commit keys to version control. Use environment variables.
  • Never embed keys in client-side JS. Server-to-server only.
  • Rotate keys quarterly or immediately if exposure is suspected.
  • Use one key per environment (production, staging, local). Easier to scope an incident if one is compromised.

Error responses for auth failures

Auth failures are RFC 9457 application/problem+json; branch on the type slug: See Errors for the full response shape + retry guidance. See Data licensing for commercial-use terms once your key is active.

Example: handling auth in code