Authentication
API key setup and Bearer token authentication
All API requests require authentication using an API key.
Creating an API Key
- Log in to your admin dashboard
- Go to Settings > Developer
- Click Generate API Key
- Enter a descriptive name (e.g., "WordPress Plugin", "Mobile App")
- Copy the key immediately — it is shown only once
Making Authenticated Requests
Include your API key as a Bearer token in the Authorization header:
curl -H "Authorization: Bearer crb_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4" \
https://your-slug.crbeeapp.com/api/v1/settingsKey Format
API keys follow the format:
crb_live_[32 hexadecimal characters]Example: crb_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
The prefix crb_live_ followed by the first 8 characters is stored as the key's visible identifier. The full key is hashed (SHA-256) and compared on each request using timing-safe comparison.
Security Best Practices
- Never expose keys in client-side code — API keys should only be used from server-side code or secure environments
- Use separate keys per integration — Create a dedicated key for each system (WordPress plugin, mobile app, etc.)
- Rotate keys periodically — Delete old keys and create new ones
- Revoke compromised keys immediately — Delete any key you suspect has been exposed
Authentication Errors
| Status | Meaning |
|---|---|
| 401 Unauthorized | Missing or invalid API key |
| 403 Forbidden | Key is valid but lacks permission for this action |
{
"error": "Invalid or missing API key"
}Admin API Routes
Some endpoints (API key management, webhook management, Stripe key status) require session authentication instead of API keys. These are accessed through the admin dashboard and use your logged-in session cookie.