Authentication

Learn how to authenticate your API requests using API keys and bearer tokens.

API Keys

All API requests require authentication using an API key. Generate keys from yourworkspace's developer settings.

Key Format

API keys use the pf_live_ prefix.

Scope

API keys are scoped to your workspace. Requests authenticate to the workspace that owns the key. Each key inherits the permissions of the user who created it.

Bearer Token

Include your key in theAuthorizationheader as a Bearer token:

Authorization: Bearer pf_live_YOUR_API_KEY

Alternatively, you can pass the key in the X-API-Key header:

X-API-Key: pf_live_YOUR_API_KEY

The API will return a 401 Unauthorized response if the key is missing, invalid, expired, or has been revoked.

Code Examples

const response = await fetch('https://projectfeed.app/api/v1/projects', {
  headers: {
    'Authorization': `Bearer ${process.env.PROJECT_FEED_API_KEY}`,
  },
});
const projects = await response.json();

Security Best Practices

Keep your API key secure

Never expose your API key in client-side code or public repositories. Use environment variables and server-side requests only.

Use environment variables

Store API keys in environment variables, never hardcode them.

Server-side only

Make API calls from your backend. Never expose keys in browser JavaScript.

Rotate keys regularly

Rotate API keys periodically and revoke unused keys promptly.

Use .gitignore

Ensure .env files and any files containing keys are in your .gitignore.