Documentation

Authentication & environments

API keys as implemented β€” one prefix pair, minted from the business portal.

Edit on GitHub

Key families

PrefixUsage
sk_live_*Server-side only; full job control. Requires the business to hold an active certificate.
sk_test_*Same shape, for integration testing. Does not require an active certificate.

Keys are minted and revoked from a business’s /keys page in the portal. Plaintext is shown once, at creation, and never stored β€” only a SHA-256 hash and a display prefix persist.

How seal_api validates a key

seal_api reads the app.api_key table directly from the same Neon Postgres database this portal writes to β€” hashes the incoming Bearer token and looks up a non-revoked match. There is no key-sync job between the portal and seal_api.

Rotation

Create a new key from /keys, roll it out, then revoke the old one from the same page. There is no automatic grace period β€” revoking a key takes effect immediately.