One header. No OAuth dance.
Every call to api.souslab.site/v1/* requires a single header. Keys are long-lived, prefixed with sk_live_, and stored hashed.
The Bearer header
Generate a key from the dashboard. The plaintext is shown exactly once at creation — we only ever store its SHA-256 hash. Rotate freely; revocation takes effect on the next request.
api.souslab.site
Authorization: Bearer sk_live_a3F8B2c…● 200 OK · 38 ms
Key format
- Prefix:
sk_live_— visible in the dashboard. - Body: 32 base64url characters (256 bits of entropy).
- Display prefix: first 8 characters after the underscore — used to identify a key in the UI without exposing it.
Rate-limit headers
Every response carries the three rate-limit headers your code needs to behave:
| Header | Meaning |
|---|---|
| X-RateLimit-Limit | Monthly request cap for your plan |
| X-RateLimit-Remaining | Requests left in the current period |
| X-RateLimit-Reset | Unix timestamp when the window rolls over |
| X-Request-Id | Correlation ID, useful when you email support |
Rotating a key
- Create a new key in the dashboard.
- Deploy the new key to production.
- Once you've confirmed the new key is in use (check its Last used timestamp), revoke the old key.
- Revocation is effective on the next request.