Authentication

Learn how to authenticate your API requests using API keys and bearer tokens.

API Keys

All API requests require authentication using an API key. Generate keys from yourworkspace's developer settings.

Key Format

API keys use the pf_live_ prefix.

Scope

API keys are scoped to your workspace. Requests authenticate to the workspace that owns the key. Each key uses explicit API scopes chosen when the key is created or rotated, and those scopes must be allowed by the workspace policy.

Write access automatically includes read access for the same resource. Scope requests that include unknown or disallowed values are rejected instead of being partially applied.

Developer settings include preset scope bundles such as read-only access and automation-focused scopes. Rotating a key creates a replacement key and revokes the previous key immediately.

API keys also re-check the key owner's current workspace membership and role on every request. If the user is removed from the workspace, loses access to a private resource, or no longer has the required product permission for the target action, the request is rejected even if the key still exists.

Requests that authenticate successfully but fail a scope, ownership, or live visibility check return 403 Forbidden.

Bearer Token

Include your key in theAuthorizationheader as a Bearer token:

Authorization: Bearer pf_live_YOUR_API_KEY

Alternatively, you can pass the key in the X-API-Key header:

X-API-Key: pf_live_YOUR_API_KEY

The API will return a 401 Unauthorized response if the key is missing, invalid, expired, or has been revoked.

Code Examples

const response = await fetch('https://projectfeed.app/api/v1/projects', {
  headers: {
    'Authorization': `Bearer ${process.env.PROJECT_FEED_API_KEY}`,
  },
});
const projects = await response.json();

Security Best Practices

Keep your API key secure

Never expose your API key in client-side code or public repositories. Use environment variables and server-side requests only.

Use environment variables

Store API keys in environment variables, never hardcode them.

Server-side only

Make API calls from your backend. Never expose keys in browser JavaScript.

Rotate keys regularly

Rotate API keys periodically and revoke unused keys promptly.

Use .gitignore

Ensure .env files and any files containing keys are in your .gitignore.