How It Works What It Catches Quickstart Pricing
Sign in Start 14-day trial

Authentication: API Keys and Idempotency

Authenticate SendPromptly API requests with project API keys, JSON headers, and required idempotency keys.

Authentication

SendPromptly uses bearer API keys scoped to a project. Your app uses the plaintext key shown once when you create it in the dashboard.

Header format

1

Authorization: Bearer sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Required ingestion headers

  • Authorization
  • Idempotency-Key
  • Content-Type: application/json
  • Accept: application/json

Idempotency-Key is required on both POST /api/v1/receipt and POST /api/v1/result. Reuse the same key only when retrying the exact same request body.

Security best practices

  • Generate separate keys for distinct deployments or modes, for example Production key, Staging worker, or CI validation.
  • Store tokens in a secret manager, never in source control.
  • Restrict usage to backend services; do not expose tokens in browsers or mobile apps.
  • Rotate tokens on a regular schedule and after any suspected leak.

Rotation workflow

  1. Create a new API key on the project.
  2. Deploy backend changes to use the new token.
  3. Verify successful receipt and result calls.
  4. Revoke the old token after confirmation.

Common authentication failures

  • 401 unauthorized: bearer token is missing, malformed, revoked, or does not match any project.
  • 400 missing_idempotency_key: the Idempotency-Key header is missing.
  • 406 missing_accept_header or 406 not_acceptable: the request does not allow application/json.
  • 415 unsupported_media_type: the request is not sent as JSON.

Hardening checklist

  • Keep repair callback secrets and API keys in separate secret entries.
  • Log token fingerprint metadata internally, not full token values.
  • Alert on repeated auth failures so you catch misconfigured deployments quickly.

For complete request examples, see Quickstart and API Reference.