Skip to main content

Authentication

Public API v1 uses HTTP Bearer authentication with an organization API key.
or
Keys are generated server-side (cic_test_ or cic_live_ + 64 hex characters). Only the hash is stored; the full secret is shown once at creation.

Create a key (dashboard)

  1. Sign in as an org owner or admin.
  2. Open Settings → Integrations → API keys (/dashboard/settings/integrations/api-keys).
  3. Create a test or live key.
  4. Copy the secret immediately and store it in your secret manager.
Creating or listing keys requires API access on the plan (apiAccess / apiAccessEnabled). Per plan-core: Upgrade path in-product: /dashboard/billing/upgrade.

Rules

  • Send the full key only in the Authorization header.
  • Never put live keys in frontend JavaScript, mobile apps you ship to end users, git, or support tickets.
  • Missing / malformed header → 401 { "error": "Unauthorized", "message": "API key required in Authorization header" }.
  • Invalid, revoked, or expired key → 401 { "error": "Unauthorized", "message": "Invalid or expired API key" }.
  • Each key is scoped to one organization. Responses only include that org’s data. You do not pass orgId on public routes.

Example

OpenAPI security scheme

The published OpenAPI document defines bearerAuth (HTTP bearer, API key). Importers of /openapi.json will prompt for a token automatically.

Not supported on public v1