Alterscope Developer API

Every request to the Alterscope Developer API authenticates with an API key. Keys are issued in the Developer Portal under your organization’s API Keys settings, and are prefixed sk_live_.

Treat an API key like a password. Store it in an environment variable or a secrets manager, never in source control or client-side code. The key carries your organization’s scopes and quota.

Sending the key

Send the key as a bearer token in the Authorization header:

Authorization: Bearer sk_live_xxx

This is the only form that authenticates an HTTP request. Browser WebSocket clients, which cannot set custom headers, pass the key via the ?token= query parameter on connect instead — that is the only other accepted form.

Rotation and revocation

Create a new key in the Developer Portal before retiring an old one, switch your application to the new key, then revoke the old key. A revoked or expired key fails closed: requests return 401 with an error code of revoked_key or expired_key. See Errors for the full status mapping.

What a key can access

A key carries a set of scopes (what it may call) and is bound to a plan tier (how much and how often). A request that lacks the required scope returns 403 with code insufficient_scope. Org admins can mint keys with a subset of scopes using a key that holds admin:keys.

Authentication

Sending the key

Rotation and revocation

What a key can access

Next steps

Scopes

Rate limits

​Sending the key

​Rotation and revocation

​What a key can access

​Next steps

Scopes

Rate limits

Sending the key

Rotation and revocation

What a key can access

Next steps