Every request to the stablebrowse API includes an Authorization: Bearer sb_live_... header. The key maps to your business — the paying customer account. It doesn’t identify individual end-users; that’s a separate field you pass on each request (see End users). Keys are independent: rotate or revoke one without affecting the others.
Optional: give it a label like production or staging-us-east
Copy the sb_live_... value shown in the banner
The full secret is shown exactly once. Save it somewhere secure immediately — we only store a hash, so if you lose it, you’ll need to mint a new key and revoke the old one.
Dashboard: Settings → API Keys → Revoke on the key’s row.A revoked key starts returning 403 Forbidden immediately on every request. Other keys keep working. Revocation is irreversible — if you revoked by mistake, just mint a new one.
GET /v1/tasks/{taskId}, GET /v1/tasks, GET /v1/sessions/{id}
✓
✓
PUT/GET/DELETE /v1/end-users/{id}/credentials
✓
✓
POST/GET/DELETE /v1/api-keys (key management)
✗ (403)
✓
We deliberately refuse API keys on the key-management endpoints so a leaked key can’t mint more keys to entrench itself. Key lifecycle is a dashboard-only operation.
Never commit keys to git. Use env vars, secret managers (AWS Secrets Manager, Doppler, 1Password CLI, etc.), or your platform’s secret store.
One key per environment.production, staging, local-dev-alice. Makes rotation and revocation painless.
Don’t share keys across integrations. If you’re running a cron and a web backend, give each its own key labeled accordingly — that way the dashboard’s lastUsedAt column tells you which integration is active.
On suspicion of leak, revoke immediately and mint a new one. Faster than investigating; cheap to do.
