TASKCLANQuickstart ↗

GET STARTED

Authentication

Every request is authenticated with a secret API key sent as a bearer token. Keys are scoped, revocable, and must stay on your server.

API keys

Create and manage keys in your dashboard. Two kinds:

PrefixTypeUse
sk_live_Live secretProduction traffic. Server-side only.
sk_test_Test secretDevelopment and CI. Isolated from live data.

Making an authenticated request

The SDK reads the key you pass to the constructor. If you call the REST API directly, send it as a bearer token:

curl https://api.taskclan.com/v1/run \
  -H "Authorization: Bearer $TASKCLAN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "profile": "t1-flow", "goal": "Say hello" }'
Never expose a secret key in the browser. Client-side code should call your own backend, which holds the key and forwards requests to Taskclan. Anyone with a live key can spend against your account.

Rotating & revoking

  • Rotate keys periodically and immediately if one may be exposed.
  • Revoking a key takes effect within seconds; in-flight requests fail with 401.
  • Use separate keys per environment and per service so you can revoke narrowly.

Organizations & scope

Keys belong to an organization and can be scoped to specific profiles or products. Enterprise accounts add identity, policy and regional rules, see Enterprise. All handling of data follows our Data Processing & Protection Policy.