FeaturesPricingAboutArticlesDocumentation
    Developers

    API, SDK, MCP, and webhooks.

    Developer PlatformQuickstartAuthenticationAPI ReferenceSDKMCPWebhooksErrorsPaginationRate LimitsIdempotencyChangelogMigration and Versioning Policy
    Raw API docsOpenAPI YAMLAsyncAPI YAML
    1. Home
    2. /
    3. Developers
    4. /
    5. Authentication

    Authentication

    API keys

    API keys are best for customer-owned server automation. Send them with X-API-Key on every request.

    • Prefixes: pk_test_* and pk_live_*
    • Scope model: least-privilege OAuth-style scopes such as items:read and webhooks:write
    • Management: Settings -> Integrations -> API
    • Safety: rotate exposed keys, revoke unused keys, and use IP allowlists where available

    OAuth

    OAuth is the partner-app model. Approved applications can use Authorization Code with PKCE for user-mediated access and Client Credentials for approved confidential machine-to-machine access.

    Public endpoints:

    • GET /oauth/authorize
    • POST /oauth/token
    • POST /oauth/revoke

    The access token is an opaque credential accepted by the public API as Authorization: Bearer <token>. The API re-checks tenant, plan, app status, and scopes on requests.

    Hosted MCP authorization

    Hosted MCP requests should use bearer credentials scoped to the public API resource. MCP tools map one-to-one to public API scopes, write tools require explicit confirmation inputs, and credentials are not persisted by the MCP process.

    HomeFeaturesPricingAboutArticlesDocumentationDevelopers
    © FabHubPrivacyTerms