Guides
Authentication
Authenticate Morface public API requests with Bearer API keys and understand key lifecycle behavior.
Authentication
Morface Public API V1 is authenticated with server-side API keys.
Header format
Authorization: Bearer sk_live_<publicId>_<secret>Rules
- Public API routes only accept Bearer API keys.
- Session or cookie authentication is not used for
/api/v1. - The full key is visible only once at creation time.
- Keys may be revoked or expired. Requests with invalid keys fail authentication.
Key management
Create and manage keys from API Keys.
Best practices:
- Store keys in your backend secret manager.
- Use a dedicated key per environment or integration.
- Rotate keys when team membership or infrastructure boundaries change.
- Do not expose keys in browser code, mobile bundles, or logs.
Common authentication failures
| Condition | Expected outcome |
|---|---|
| Missing Bearer header | Authentication failure |
| Malformed key format | Authentication failure |
| Revoked key | Authentication failure |
| Expired key | Authentication failure |