Morface Developer Docs
Guides

Authentication

Authenticate Morface public API requests with Bearer API keys and understand key lifecycle behavior.

Authentication

Morface Public API V1 is authenticated with server-side API keys.

Header format

Authorization: Bearer sk_live_<publicId>_<secret>

Rules

  • Public API routes only accept Bearer API keys.
  • Session or cookie authentication is not used for /api/v1.
  • The full key is visible only once at creation time.
  • Keys may be revoked or expired. Requests with invalid keys fail authentication.

Key management

Create and manage keys from API Keys.

Best practices:

  • Store keys in your backend secret manager.
  • Use a dedicated key per environment or integration.
  • Rotate keys when team membership or infrastructure boundaries change.
  • Do not expose keys in browser code, mobile bundles, or logs.

Common authentication failures

ConditionExpected outcome
Missing Bearer headerAuthentication failure
Malformed key formatAuthentication failure
Revoked keyAuthentication failure
Expired keyAuthentication failure