Guides
Authentication
Every v1 request is authenticated with a bearer API key tied to your CurateOne account.
Sending the key
Pass the key in the Authorization header. X-Api-Key is accepted as a fallback for clients that can't set Authorization.
curl https://curateone.ai/api/v1/me \
-H "Authorization: Bearer co_live_…"
# equivalent:
curl https://curateone.ai/api/v1/me -H "X-Api-Key: co_live_…"Key format & storage
- Keys look like
co_live_followed by 48 hex characters. - The plaintext is shown once at creation. CurateOne stores only a SHA-256 hash — a lost key can't be recovered, only replaced.
- Keys act as your account: everything the account owns (sites, leads, analytics, credits) is reachable through them. Treat them like passwords.
Never ship a key in browser JavaScript, mobile apps, or public repos. Call the API from your server and keep the key in a secrets manager or environment variable.
Rotation & revocation
You can hold up to 10 active keys, so rotation is zero-downtime: create the replacement, deploy it, then revoke the old key on the API Keys page. Revocation is immediate and permanent; revoked keys stay listed for your audit trail.
Credits & billing
API calls share the account's AI credit pool with the Studio: creating a site via POST /sites costs one generation credit (refunded if the job fails), while reads are free within rate limits. GET /me reports live usage.