Authorization header.
Generating keys
Keys live under Settings → API Keys.- Click Generate, give the key a memorable name.
- The full
sk_...token is shown once at creation. - Only the prefix (
sk_a3f9...) is stored after that — you cannot retrieve a lost key.
Scope
A key is bound to the user who created it. Current production behavior:POST /searchsearches owned Disks only.GET /diskscan list owned and active-saved Disks withscope.GET /disks/{id}can read an owned Disk, or an active-saved Disk when the key owner has saved it.POST /disks/batchis owned-only.
Rotation
To rotate:- Generate a new key.
- Update your client / agent /
.envwith the new value. - Delete the old key from Settings.
Errors
| Status | error code | Cause |
|---|---|---|
401 | unauthorized | Missing header, malformed token, deleted key |
429 | rate_limit_exceeded | >100 req/min on the same key |
500 | internal_error | Server-side issue — retry with backoff |
retry_after (seconds) in the JSON body.