Skip to Content
API ReferenceAuthentication

Authentication

Every request to the Prooflio API must include a valid API key. This page covers how to create keys, attach them to requests, and keep your credentials secure.

API Keys

Creating a Key

  1. Open your Prooflio dashboard.
  2. Navigate to Settings > API Keys.
  3. Click Create API Key.
  4. Give the key a descriptive name (e.g., “Website Integration” or “CI Pipeline”).
  5. Optionally, set an expiration date.
  6. Click Generate. Copy the key immediately — it will not be shown again.

The full key is only displayed once at creation time. Prooflio stores a SHA-256 hash of the key for security. If you lose it, you must create a new key.

Plan Requirements

API access is available on Growth and Agency plans:

PlanAPI AccessRate Limit
FreeNo—
StarterNo—
GrowthYes60 requests/minute
AgencyYes200 requests/minute

Key Management

API keys are managed by users with the Owner or Admin role in the organization. Each key tracks its lastUsedAt timestamp for audit purposes.

Expiration

When creating a key you may set an optional expiration date. Expired keys return a 401 Unauthorized error and must be regenerated. If no expiration is set, the key remains valid until it is manually revoked.

Using the Key

Pass your API key in the Authorization header as a Bearer token:

curl "https://app.prooflio.io/api/v1/reviews" \ -H "Authorization: Bearer YOUR_API_KEY"

Do not pass the API key as a query parameter. Query parameters may be logged by proxies and servers, exposing your credentials.

Key Lifecycle

You can view and manage all keys from the Settings > API Keys page:

ActionDescription
ViewSee the key name, prefix, creation date, last used date, and expiration. The full key value is hidden after creation.
RevokeImmediately invalidate a key. Any in-flight request using that key will fail. This action is irreversible.

Security Best Practices

Treat your API key like a password. Anyone with access to the key can read your organization’s review data.

  • Never commit keys to version control. Use environment variables or a secrets manager instead.
  • Set expiration dates for keys used in temporary integrations or by contractors.
  • Rotate keys regularly. Revoke and regenerate keys every 90 days as a best practice.
  • Monitor usage. Check the lastUsedAt timestamp on your keys to detect unauthorized use.

Error Responses

401 Unauthorized

Returned when the API key is missing, malformed, expired, or revoked.

{ "error": "unauthorized", "message": "Invalid or missing API key.", "details": [] }

403 Forbidden

Returned when the API key is valid but the organization’s plan does not include API access.

{ "error": "forbidden", "message": "API access requires a Growth plan or higher.", "details": [] }
Last updated on