Get started
Authentication
Every request authenticates with a secret API key in the Authorization header. Keys look like sk_live_… and carry full access to your account — treat them like a password.
Authenticate a request
curl https://api.postlake.dev/v1/me \
-H "Authorization: Bearer sk_live_YOUR_KEY"Creating & revoking keys
- Create, name and revoke keys on the API Keys page in your dashboard. Name them per app or environment (e.g. "CI server", "Zapier") so you can revoke one without affecting the rest.
- A key's secret is shown once, at creation. We only ever store a hash — we can't show it again, so save it somewhere safe.
- If a key leaks, revoke it from the dashboard; it stops working immediately.
Keys are server-side only
PostLake keys are secret server-side keys (prefix sk_live_). There's no separate "publishable" key — every endpoint is server-to-server, so never embed a key in a browser, mobile app, or public repo.
Agents connect differently. If you're connecting an AI agent over MCP, it authenticates via OAuth — no API key is pasted into the chat. See MCP server.