Skip to main content

Authentication

The Operate API uses API key authentication. Every request must include a valid API key in the x-api-key header.

How it works

x-api-key: your-api-key-here
Your API key is tied to a specific organization. All data returned by the API is automatically scoped to that organization — you don’t need to pass an organization ID.

Obtaining an API key

  1. Log in to the Operate dashboard
  2. Go to Settings > API Keys
  3. Click Create API Key and copy the generated key
API keys are shown only once at creation time. Store them securely (e.g. in environment variables or a secrets manager).

Using the API key

Include the x-api-key header with every request: 
curl -X GET https://api.operate.so/companies/list \
  -H "x-api-key: sk_live_abc123..."

Error responses

StatusMeaning
400Missing x-api-key header
401Invalid or expired API key
403API key does not have access to the requested resource
All authentication errors follow the standard error shape: 
{
  "success": false,
  "error": {
    "type": "authentication_error",
    "message": "Missing API Key"
  }
}

Best practices

Never hardcode API keys in source code. Use environment variables or a secrets manager like AWS Secrets Manager, Doppler, or Infisical.
API keys should only be used in server-side code. Never expose them in client-side JavaScript, mobile apps, or public repositories.
Generate new API keys and revoke old ones on a regular schedule to limit exposure from potential leaks.