Create a key
API keys are created on the dashboard:Open the dashboard
Go to app.creatoraudit.com and sign in.
Create a key
Open the API keys page and create a new
key. Give it a recognizable name (it appears in
whoami).Send the token
Add anAuthorization header with the Bearer scheme to every request:
GET /v2/health and GET /v2/meta are unauthenticated and need no header; every
other endpoint requires the bearer token.
Scopes
Each key carries a set of scopes —read, write, and admin — and keys are
issued with all three by default. Read endpoints (GET) require no special scope.
Mutating endpoints (POST/PATCH/PUT/DELETE) require the write scope
(admin implies write implies read). A key lacking the required scope gets a
403 with code: INSUFFICIENT_SCOPE.
Verify your key
GET /v2/whoami echoes the organization and key name the token resolves to —
a quick way to confirm a key works and which org it is bound to:
When authentication fails
A missing or invalid key returns401 with code: UNAUTHORIZED. An inactive key
or subscription returns 403 with code: FORBIDDEN. Both follow the RFC 9457
error shape:
Key hygiene
- Keep it secret. Never commit keys to source control, embed them in client-side code, or paste them into logs or screenshots.
- Call from a server. Keep the key on your backend and proxy requests; do not ship it to browsers or mobile apps.
- Use one key per integration. Separate keys make it easy to disable one
without disrupting the others, and
whoamitells you which is calling. - Rotate without downtime. Create a new key, deploy it, confirm traffic has
moved over, then disable the old one on the dashboard. Disabled keys return
403.