Authentication
Every Emboss endpoint except GET /health requires an API key, sent as a
Bearer token in the Authorization header:
curl https://api.getemboss.ai/usage \
-H "Authorization: Bearer sk_live_yourkey"
Keys look like sk_live_…. They are scoped to a single owner — a key can only
read and mutate the forms and sessions created with that same key. A request
for another owner's resource returns 404, not 403, so existence isn't
leaked across accounts.
Getting a key
API keys are issued via the Emboss CLI today. There is no self-serve signup yet — a self-serve dashboard where you can mint and rotate keys is coming. For now, request a key through the CLI and keep it secret; treat it like a password and never embed it in client-side code.
Missing or invalid keys
- No
Authorizationheader, or a malformed one →401. - A well-formed but unknown/revoked key →
401. - A valid key reaching a resource it doesn't own →
404.
See Errors & status codes for the full table.