Skip to main content
Guides

Authentication

Every v1 request is authenticated with a bearer API key tied to your CurateOne account.

Sending the key

Pass the key in the Authorization header. X-Api-Key is accepted as a fallback for clients that can't set Authorization.

bash
curl https://curateone.ai/api/v1/me \
  -H "Authorization: Bearer co_live_…"

# equivalent:
curl https://curateone.ai/api/v1/me -H "X-Api-Key: co_live_…"

Key format & storage

  • Keys look like co_live_ followed by 48 hex characters.
  • The plaintext is shown once at creation. CurateOne stores only a SHA-256 hash — a lost key can't be recovered, only replaced.
  • Keys act as your account: everything the account owns (sites, leads, analytics, credits) is reachable through them. Treat them like passwords.
Never ship a key in browser JavaScript, mobile apps, or public repos. Call the API from your server and keep the key in a secrets manager or environment variable.

Rotation & revocation

You can hold up to 10 active keys, so rotation is zero-downtime: create the replacement, deploy it, then revoke the old key on the API Keys page. Revocation is immediate and permanent; revoked keys stay listed for your audit trail.

Credits & billing

API calls share the account's AI credit pool with the Studio: creating a site via POST /sites costs one generation credit (refunded if the job fails), while reads are free within rate limits. GET /me reports live usage.