Authentication
Public API v1 uses HTTP Bearer authentication with an organization API key.Header
Keys are generated server-side (
cic_test_ or cic_live_ + 64 hex characters). Only the hash is stored; the full secret is shown once at creation.
Create a key (dashboard)
- Sign in as an org owner or admin.
- Open Settings → Integrations → API keys (
/dashboard/settings/integrations/api-keys). - Create a test or live key.
- Copy the secret immediately and store it in your secret manager.
apiAccess / apiAccessEnabled). Per plan-core:
Upgrade path in-product:
/dashboard/billing/upgrade.
Rules
- Send the full key only in the
Authorizationheader. - Never put live keys in frontend JavaScript, mobile apps you ship to end users, git, or support tickets.
- Missing / malformed header → 401
{ "error": "Unauthorized", "message": "API key required in Authorization header" }. - Invalid, revoked, or expired key → 401
{ "error": "Unauthorized", "message": "Invalid or expired API key" }. - Each key is scoped to one organization. Responses only include that org’s data. You do not pass
orgIdon public routes.
Example
OpenAPI security scheme
The published OpenAPI document definesbearerAuth (HTTP bearer, API key). Importers of /openapi.json will prompt for a token automatically.