Authentication

The API accepts a single credential: an API key, passed as a bearer token on every request.

Authorization: Bearer sh_live_<key-id>_<secret>

Creating a key

Sign in and open API Keys in the dashboard. Name the key after its use (e.g. “Content pipeline agent”). The plaintext is shown only once — copy it and store it securely.

Verify the key works

curl https://api.letspost.app/v1/profiles \
  -H "Authorization: Bearer sh_live_xxx"

Rotate & revoke

To rotate, create a new key, point your agent at it, then revoke the old one from the dashboard. Revocations take effect immediately — there is no grace period.

Scope

A key is scoped to the user account that created it. It can read and write any profile that user owns. Per-profile and per-scope keys are on the roadmap.

Storage

We store only the SHA-256 hash of each key. If you lose the plaintext, you must create a new key — we cannot recover the old one.