Authentication
API keys and authentication
API Keys
API keys are created in your tenant dashboard under Settings → API Keys. Each key is scoped to a single tenant and can have read-only or read/write permissions.
Authorization Header
Include your API key as a Bearer token in the Authorization header of every request:
Authorization: Bearer YOUR_API_KEY
Example request
curl "https://api.knitt.co/v1/content/{tenant_id}/types" \
-H "Authorization: Bearer knitt_live_abc123def456"Key types
| Type | Prefix | Permissions | Use case |
|---|---|---|---|
| Live | knitt_live_ | Read & Write | Server-side applications |
| Read-only | knitt_read_ | Read only | Client-side / public APIs |
Error responses
If your API key is missing, invalid, or lacks the required permissions, the API returns:
// 401 Unauthorized
{
"error": {
"code": "unauthorized",
"message": "Invalid or missing API key."
}
}
// 403 Forbidden
{
"error": {
"code": "forbidden",
"message": "This API key does not have write permissions."
}
}Security best practices
- Never expose live API keys in client-side JavaScript or mobile apps
- Use read-only keys for public-facing applications
- Store keys in environment variables, not source code
- Rotate keys regularly and revoke any that may be compromised
- Use separate keys for development and production
Last updated: February 7, 2026