Authentication
Bearer tokens
Every request authenticates with an API key in the Authorization header:
Authorization: Bearer ue_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Keys are 40 characters: an ue_live_ prefix plus 32 random base62 characters (~143 bits of entropy). Treat them like passwords.
Generating keys
API Keys live in Settings → API Keys. Only admin and superadmin users on a paid plan can generate them. Each key has a name you choose (so you can tell them apart later) and an immutable last4 shown in the table.
The full secret is displayed once, on creation. There's no way to recover it — generate a new one and revoke the old if you lose it.
We store only the SHA-256 hash of each key on our side. We physically cannot reveal a key after creation.
Rotation
Best practice for production integrations:
- Generate a new key, name it with the date.
- Roll the new key out to your client.
- After verifying traffic on the new key, revoke the old one in the UI.
There's no key expiration by default. We may offer self-imposed expiry in a future release.
Revocation
Click the trash icon next to any key in the UI. The next request using a revoked key returns:
{ "error": { "code": "unauthorized", "message": "..." } }
Revoked keys cannot be re-enabled — generate a new one.
What happens on plan downgrade
If your plan drops to Free, all your existing keys stop working immediately (the API enforces the plan check on every request). Re-upgrading restores access without you having to regenerate.
Scopes
v1 keys are workspace-scoped: they can do anything the issuing user can do in the app. Per-key scopes (e.g. read-only) are a planned addition.
Key prefixes
Always ue_live_. The prefix exists so leaked keys are greppable in CI logs, customer error reports, and accidentally-committed source code. We reserve ue_test_ for a future sandbox environment.
Webhook signing
Webhooks use a separate whsec_… shared secret per subscription. See Webhooks for details.