Skip to main content
The SiteVisit API uses Bearer token authentication. Every request must include an Authorization header carrying a key you generated in the dashboard. 
Authorization: Bearer sv_live_e059b3544b7fa4b93c7e26933aeba781

Key format

sv_live_<32 hex chars>
  • sv_ is the SiteVisit prefix.
  • live identifies the environment. (We may issue sv_test_* keys in the future.)
  • The tail is 16 random bytes encoded as 32 lowercase hex characters.
We store only a SHA-256 hash of the tail and the sv_live_… prefix in cleartext (just enough to identify which key is which in the UI). On the wire we compare in constant time.

Generate a key

  1. Sign in to sitevisit.app.
  2. Open Settings → Developers.
  3. Type a name (e.g. production-warehouse, marc-laptop) and click Generate key.
  4. Copy the full value immediately — we display it once.
Once you close the reveal panel, the full secret is gone forever. We keep only a hash. If you lose it, revoke and re-issue.

Rotate a key

There’s no rotation endpoint — generate a new key, swap it into your secret store, then revoke the old one once traffic has moved over. This pattern keeps you in control of the cutover window.

Revoke a key

In Settings → Developers, click Revoke next to the key. Revoked keys reject all subsequent requests with 401 invalid_api_key. Revocation is immediate; we do not honor a grace period.

Scopes

Today every key has full read access to the account that issued it. We plan to add read/write scopes when we ship the write endpoints — existing keys will continue to work for reads.

Where to store keys

API keys are secrets. Don’t:
  • Commit them to a repository.
  • Embed them in mobile apps or frontend JavaScript.
  • Share them across teams in chat or email.
Instead, store them in your platform’s secret manager (Vercel envs, AWS Secrets Manager, 1Password, etc.) and inject at runtime.

Errors

StatusCodeMeaning
401missing_api_keyNo Authorization header was sent.
401invalid_api_keyHeader present but the key doesn’t match a live, non-revoked key.
403forbiddenThe key is valid but isn’t allowed to access this resource.
See the Errors page for the full envelope shape and the docs_url link pattern.