Authentication · Whitelabel API

Getting a key

Sign in at app.whitelabel.dev
Switch to the workspace you want the key scoped to
Open /account/api-keys
Click Create key, give it a name
Copy the full whlk_... token immediately — it's shown once

Forgot to copy? You'll need to revoke the key and create a new one. Whitelabel can't retrieve the full token after creation (we only store an HMAC).

Using a key

Put the key in the Authorization header on every request:

curl https://app.whitelabel.dev/api/v1/workspaces \
  -H "Authorization: Bearer whlk_..."

Common patterns

From Node.js:

const res = await fetch('https://app.whitelabel.dev/api/v1/workspaces', {
  headers: { 'Authorization': `Bearer ${process.env.WHITELABEL_API_KEY}` }
})
const json = await res.json()

From Python:

import os, httpx
r = httpx.get(
    'https://app.whitelabel.dev/api/v1/workspaces',
    headers={'Authorization': f'Bearer {os.environ["WHITELABEL_API_KEY"]}'}
)

Scope rules

Workspace-scoped. Each key only sees the workspace it was created under. To work across workspaces, create multiple keys.
Role-scoped. A key inherits the creator's role at creation time. Owner-created keys can do everything; member-created keys are limited to what that member can do.
Time-bounded (optional). Keys can have an expiry. Expired keys 401 immediately.

Rotating + revoking

If a key leaks: revoke it at /account/api-keys. Revocation is immediate — within a second the key starts returning 401.

For a rotating workflow:

Create a new key with a new name (e.g. prod-2026-q3)
Update your application to use the new key
Confirm everything works
Revoke the old key

Errors

Status	Meaning
`401`	Missing, malformed, expired, or revoked key
`403`	Key is valid but lacks permission for this resource
`404`	Resource doesn't exist OR the key's workspace can't see it (we don't distinguish — security)
`429`	Rate limit. Response includes `Retry-After` header (seconds)