API keys & Bearer tokens
Programmatic access for scripts, CI, and tooling — the same account power as a dashboard session.
What they are
Developer API keys look like sdk_live_…. They are full-account credentials: there are no scopes. A valid key authenticates as you on every requireAuth route (apps, licenses, account, metrics, /auth/me).
They do not authenticate client license validation. End-user programs use the sealed session path in License control.
Dashboard
Create, copy (once), list, and revoke keys under Settings → API keys. Plaintext is shown only at creation; afterward you only see a prefix and metadata (last_used_at, revoked).
HTTP: create, list, revoke
All require an existing session cookie or another API key.
{
"name": "ci-bot"
}{
"success": true,
"key": {
"id": "<uuid>",
"name": "ci-bot",
"apiKey": "sdk_live_…",
"keyPrefix": "sdk_live_abcd1234…",
"createdAt": "…"
},
"warning": "API key plaintext is shown once. Store it securely; only the hash is retained."
}{ "success": true, "keys": [ /* prefix + metadata only */ ] }{ "success": true }Using the Bearer header
Authorization: Bearer sdk_live_<token> Content-Type: application/json
curl -X POST https://api.sdkey.dev/api/v1/licenses/create \
-H 'Authorization: Bearer sdk_live_....' \
-H 'Content-Type: application/json' \
-d '{"applicationId":"<uuid>","amount":1,"durationSeconds":2592000}'curl https://api.sdkey.dev/api/v1/apps/ \ -H 'Authorization: Bearer sdk_live_....'
Auth resolution
If both a sdkey_session cookie and a Bearer token are present, the cookie wins. Failed Bearer attempts are rate-limited (30 / min / IP).
Security
- Server stores SHA-256 of the key only
- Copy the plaintext immediately — it cannot be recovered later
- Revoke immediately if a key leaks
- Prefer short-lived keys per environment (CI vs laptop)