Skip to content

Authentication

The Developer API authenticates requests using organization API keys. JWT tokens are not accepted — use an API key for all programmatic access.

Creating an API Key

  1. Go to Settings -> API in your graph8 workspace
  2. Click Create API Key
  3. Enter a name (e.g., “CRM Sync” or “Data Export”)
  4. Optionally set an expiration (1-365 days)
  5. Copy the key immediately — it’s only shown once

Using Your API Key

Include the key in the Authorization header with the Bearer prefix:

Terminal window
export API_KEY="your_api_key_here"


curl "https://be.graph8.com/api/v1/contacts" \
  -H "Authorization: Bearer $API_KEY"

Key Characteristics

PropertyDetails
ScopeOrganization-level — access to all data in your org
FormatOpaque token (not a JWT)
ExpirationOptional, 1-365 days from creation
RotationDelete and create a new key, or use the Rotate button in Settings
Rate Limit200 requests/minute, 10 requests/second

Authentication Errors

StatusMeaningFix
401Missing or invalid Authorization headerCheck your API key is correct
401JWT token provided instead of API keyUse an org API key, not a browser session token
401API key not associated with an organizationEnsure the key was created in Settings -> API
429Rate limit exceededWait and retry with backoff (see Rate Limits)

Example Error Response

{
  "detail": "Missing Authorization header. Use: Authorization: Bearer <api_key>"
}

Security Best Practices

Do:

  • Store keys in environment variables or a secrets manager
  • Use separate keys for development and production
  • Set expiration dates on keys
  • Rotate keys periodically
  • Delete unused keys promptly

Don’t:

  • Commit keys to version control
  • Share keys via email or chat
  • Expose keys in frontend JavaScript or client-side code
  • Log keys in application output