Authentication
API keys, scopes, and how to authenticate requests against the public API.
Every request to /api/v1 carries an API key in the
Authorization header.
Headers
Authorization: Bearer <api-key>
Content-Type: application/json (on POST / PUT / PATCH)Key format
Public API keys begin with obs_pub_ followed by a base64url
opaque string. Keys are issued per organisation in the console
under API keys. Each key is shown once at creation; the cloud
stores its hash and cannot recover the plaintext.
Scopes
Each key carries a fixed set of scopes that gate which endpoints the key may call. The scopes available today:
| Scope | Grants |
|---|---|
read:services | Read service entities. |
read:metrics | Read metric definitions, current values, and aggregated history. |
read:slos | Read SLOs and their current burn state. |
read:incidents | Read incident updates published on status pages. |
Scopes are additive. Requests against an endpoint whose required
scope is not on the key return 403.
Errors
The API returns RFC 7807 problem-detail responses:
{
"type": "/errors/unauthorized",
"title": "missing or invalid bearer token",
"status": 401
}Per-endpoint scope requirements appear on each operation page in the sidebar.
Was this page helpful?