slothbox Authentication
Every protected endpoint expects an Authorization header. Two credential types are accepted, and you choose whichever matches how you're calling the API.
API keys
API keys look like sk_ followed by 32 base64url characters. They're intended for scripts, CLIs, and server-side integrations — anything that runs without a human at the keyboard.
Authorization: sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNotes:
- Keys are shown once at creation time and stored as a SHA-256 hash on our side. If you lose one, revoke it and create another.
- Keys inherit the user's organization memberships. There is no per-org or scoped-token model yet.
- Keys cannot mint more keys — see Quickstart.
Cognito ID tokens
Browsers and the official web app sign in through a Cognito user pool and send the raw ID token in the same header. No Bearer prefix.
Authorization: eyJraWQ...Tokens are short-lived (60 minutes). The web app refreshes them silently using the Cognito SDK; if you're building a custom integration you'll need to do the same.
Public endpoints
A small handful of routes are reachable without any credential — health checks, the GitHub OAuth callback, the public invite preview, and the CloudFormation template that customers deploy into their own account. The API reference marks these with an open lock icon.