Authentication
All SpeyBooks API requests must be authenticated using an API key.
Requests without a valid key are rejected.
API keys
Authenticate requests by including your API key in the Authorization header using the Bearer scheme.
curl https://api.speybooks.com/v1/organisation \
-H "Authorization: Bearer sk_live_your_api_key"
API keys are organisation-scoped and grant access to all permitted resources.
Key types
| Type | Prefix | Environment |
|---|---|---|
| Live | sk_live_ | Production |
| Test | sk_test_ | Sandbox |
Test keys operate on a separate dataset. Use them for development and testing without affecting real financial data.
Authentication errors
Authentication failures always return HTTP 401 Unauthorized with a structured error response.
Missing API key
HTTP/1.1 401 Unauthorized
{
"success": false,
"error": {
"code": "unauthorized",
"message": "Missing Authorization header"
}
}
Invalid API key
HTTP/1.1 401 Unauthorized
{
"success": false,
"error": {
"code": "unauthorized",
"message": "Invalid API key"
}
}
Revoked API key
HTTP/1.1 401 Unauthorized
{
"success": false,
"error": {
"code": "unauthorized",
"message": "API key has been revoked"
}
}
Error messages are explicit and do not leak sensitive information.
Managing API keys
Generating a key
API keys are generated via the dashboard:
app.speybooks.com/settings/api
Keys are displayed once at creation and cannot be retrieved later. Store them securely.
Revoking a key
Keys can be revoked at any time via the dashboard.
- Revocation is immediate
- All subsequent requests using the key will fail
Use revocation to respond to suspected compromise or routine rotation.
Security best practices
- Use HTTPS for all API requests
- Never expose API keys in client-side code
- Store keys in environment variables, not source code
- Rotate keys periodically
- Use test keys for development and staging
API keys grant full access to your organisation's data. Treat them with the same care as database credentials.
Key principles
- Authentication is explicit and mandatory
- Keys are scoped, revocable, and auditable
- No session state or cookies are used
- Failure modes are predictable and consistent
Authentication in SpeyBooks is designed to be simple, secure, and automation-friendly.
What to read next
- Errors — error codes and handling
- API Overview — request and response conventions
- Invoices API — authenticated write operations