Authentication
Bearer-token authentication for the SimplyFill REST API.
Authentication
SimplyFill uses Bearer-token authentication. Every API call requires an Authorization: Bearer <key> header.
Generating an API key
- Sign in to simplyfill.app/dashboard
- Settings → API Keys → Generate new key
- Copy the key immediately. You can't view it again — only revoke and rotate.
Keys are scoped to a single environment (development, staging, production). The environment is captured at creation and cannot be changed after the fact; create a new key if you need a different environment.
Using an API key
curl https://api.simplyfill.app/v1/templates \
-H "Authorization: Bearer sk_test_..."Key permissions
API keys carry one of three permission scopes:
| Scope | Allows |
|---|---|
read | GET requests only |
write | GET + POST + PUT + PATCH |
admin | All scopes + DELETE + key management |
Default scope on creation is write. Set per-key scopes in the dashboard.
Errors
| Status | Body | Cause |
|---|---|---|
401 Unauthorized | { "error": "missing_authorization" } | No Authorization header |
401 Unauthorized | { "error": "invalid_api_key" } | Key revoked, malformed, or doesn't exist |
403 Forbidden | { "error": "scope_required", "required": "admin" } | Key lacks the scope this endpoint requires |
Rotation
Best practice is to rotate production keys every 90 days. Programmatically:
- Create a new key with the same scope and environment.
- Deploy the new key into your application's secret store.
- Confirm at least one successful call uses the new key.
- Revoke the old key.
The dashboard surfaces a last_used_at timestamp on every key to help confirm step 3.
See also
- Authentication concept guide — narrative version with examples
- Environments — how API keys map to dev/staging/prod
- API errors — every error code returned by the API