GET STARTED
Authentication
Every request is authenticated with a secret API key sent as a bearer token. Keys are scoped, revocable, and must stay on your server.
API keys
Create and manage keys in your dashboard. Two kinds:
| Prefix | Type | Use |
|---|---|---|
sk_live_ | Live secret | Production traffic. Server-side only. |
sk_test_ | Test secret | Development and CI. Isolated from live data. |
Making an authenticated request
The SDK reads the key you pass to the constructor. If you call the REST API directly, send it as a bearer token:
curl https://api.taskclan.com/v1/run \
-H "Authorization: Bearer $TASKCLAN_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "profile": "t1-flow", "goal": "Say hello" }'Never expose a secret key in the browser. Client-side code should call your own backend, which holds the key and forwards requests to Taskclan. Anyone with a live key can spend against your account.
Rotating & revoking
- Rotate keys periodically and immediately if one may be exposed.
- Revoking a key takes effect within seconds; in-flight requests fail with
401. - Use separate keys per environment and per service so you can revoke narrowly.
Organizations & scope
Keys belong to an organization and can be scoped to specific profiles or products. Enterprise accounts add identity, policy and regional rules, see Enterprise. All handling of data follows our Data Processing & Protection Policy.
