Creating an API key
Open the Arca app and go to Settings → API Keys. Click New API key, give it a label, choose the scopes it needs, and optionally set an expiration date. The key is shown once, copy it immediately.API key format
Every key starts with thearca_ prefix followed by 64 random hex characters:
Passing the key
Include the key in every request using one of these two headers, not both.Authorization header (recommended)
X-API-Key header
The
Authorization header must use the Bearer prefix and the key must start with arca_, otherwise the server will not recognise it and will return 401.Expiration
API keys can be created with or without an expiration date. If an expiration date is set and the current time is past it, every request with that key returns:Scopes
Each API key is granted a set of scopes at creation time. Scopes cannot be changed after the key is created, create a new key if you need different scopes. A request made with a key that lacks the required scope returns403 Forbidden:
Security best practices
- Never commit keys to source control. Use environment variables or a secrets manager.
- Grant only the scopes you need. A key used for read-only reporting does not need any
*:writescopes. - Set an expiration date for keys used in short-lived scripts or CI pipelines.
- Rotate keys regularly. You can revoke a key in Settings → API Keys at any time.
- The server only stores an encrypted version of the key, the raw value is never stored. If you lose it, you must create a new key.