Authentication

All server-to-server REST endpoints authenticate with an API key via the X-API-Key header.

The header

X-API-Key: sk_live_agent_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Two keys, two purposes

Key	Usage	Exposable?
sk_live_agent_…	Server-side REST API (this doc)	No — backend only
pk_live_…	Browser widget (client embed)	Yes — frontend

The public key (pk_live_) is rejected on server-to-server REST routes. You’d get a 403 AUTH_API_KEY_FORBIDDEN.

Getting an API key

API keys are created from Settings → API Keys in the admin dashboard. You can create multiple keys (one per environment, per integration, etc.) and revoke them individually.

The full key is shown once at creation — copy it immediately.

Security

• Never commit your key into a Git repo
• Never expose it client-side (browser JS, mobile app)
• Store it in a server-side env var (SUPPORTDESK_API_KEY)
• Revoke at the slightest suspicion of leak and create a new one

Test your key

A read-only, side-effect-free call that returns the app tied to your key:

curl

curl https://supportdesk.innovartx.com/api/v1/auth/whoami \
  -H "X-API-Key: $SUPPORTDESK_API_KEY"

If all good, you get a 200 OK with:

{
  "success": true,
  "data": {
    "appId": "cl…",
    "slug": "your-app",
    "name": "Your App",
    "keyType": "agent"
  }
}

Possible errors

HTTP code	Business code	Cause
401	AUTH_API_KEY_MISSING	X-API-Key header missing
401	AUTH_API_KEY_INVALID	Key is malformed or matches no app
401	AUTH_API_KEY_EXPIRED	Key has passed its expiration date
403	AUTH_API_KEY_FORBIDDEN	You used a pk_live_ instead of a sk_live_agent_

See Errors for full error response format.