Authorization: Bearer <your-key> header.
Key format
API keys are opaque strings prefixed withpk_ (production) or pk_test_
(future test mode). Treat the entire string as secret.
Header convention
Accept header is recommended but optional — responses default to JSON.
Where to get a key
- Sign up at permitcore.io/signup
- After magic-link sign-in, visit Account → API Keys
- Your active key is shown once at creation — copy it then; we don’t store it in plain text after the initial display
POST /v1/keys.
Rotation is supported via DELETE /v1/keys/{prefix}
followed by a fresh create.
Security best practices
- Never commit keys to version control. Use environment variables.
- Never embed keys in client-side JS. Server-to-server only.
- Rotate keys quarterly or immediately if exposure is suspected.
- Use one key per environment (production, staging, local). Easier to scope an incident if one is compromised.
Error responses for auth failures
| HTTP | Error code | When |
|---|---|---|
401 | missing_credentials | No Authorization header sent |
401 | invalid_token | Header sent but key is malformed / revoked / unknown |
403 | insufficient_scope | Key is valid but lacks scope for this endpoint |