API authentication

Authenticate API requests with live keys, publishable keys, sessions, and webhook secrets.

API authentication

Live key

Use live keys from trusted code.

bash
curl https://littledemo.com/api/v1/projects \  -H "Authorization: Bearer ld_live_xxx"

Equivalent:

bash
curl https://littledemo.com/api/v1/projects \  -H "X-API-Key: ld_live_xxx"

Publishable key

Use publishable keys for dynamic embeds.

bash
curl -X POST https://littledemo.com/api/v1/embed/generate \  -H "X-API-Key: ld_pub_xxx" \  -H "Content-Type: application/json" \  -d '{"context":{"url":"https://docs.example.com","title":"Docs"}}'

Session

Dashboard requests use the signed-in browser session.

Project signing secret

Use a project signing secret when a trusted server needs to create iframe URLs without exposing a live API key.

bash
curl https://littledemo.com/api/v1/projects/proj_abc123/signing-secret \  -H "Authorization: Bearer ld_live_xxx"

Rotate it if the value is exposed:

bash
curl -X POST https://littledemo.com/api/v1/projects/proj_abc123/signing-secret/rotate \  -H "Authorization: Bearer ld_live_xxx"

Webhook secret

Webhook refreshes can use a project-scoped secret:

bash
curl -X POST https://littledemo.com/api/v1/webhooks/projects/proj_abc123/refresh \  -H "X-Webhook-Secret: whsec_xxx"

Was this page helpful?

Previous API overview

Next Projects API