Skip to main content
Section navigation

API Authentication

Authenticate with the systemprompt.io API. Learn about API keys, tokens, and authentication flows.

On this page

Every request to the systemprompt.io API must be authenticated. The API uses bearer token authentication with API keys that you generate in the dashboard.

Generating an API Key

  1. Sign in to your account at systemprompt.io.
  2. Open Settings from the sidebar, then select API Keys.
  3. Click Create API Key.
  4. Enter a descriptive name for the key (for example, "Production Backend" or "CI Pipeline").
  5. Select the scopes you need (see the Scopes section below).
  6. Click Generate.
  7. Copy the key immediately. It is displayed only once. If you lose it, you will need to create a new key.

Your API key will look something like this:

sp_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Keys prefixed with sp_live_ are production keys. Keys prefixed with sp_test_ are sandbox keys that do not affect your live data.

Using Your API Key

Include the API key in the Authorization header of every request, using the Bearer scheme.

curl

curl https://systemprompt.io/api/v1/skills \
  -H "Authorization: Bearer sp_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"

JavaScript (fetch)

const response = await fetch("https://systemprompt.io/api/v1/skills", {
  headers: {
    "Authorization": "Bearer sp_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
    "Content-Type": "application/json"
  }
});

const data = await response.json();
console.log(data);

JavaScript (Node.js with axios)

const axios = require("axios");

const client = axios.create({
  baseURL: "https://systemprompt.io/api/v1",
  headers: {
    "Authorization": "Bearer sp_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
  }
});

const { data } = await client.get("/skills");
console.log(data);

Python (requests)

import requests

headers = {
    "Authorization": "Bearer sp_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
}

response = requests.get("https://systemprompt.io/api/v1/skills", headers=headers)
print(response.json())

Scopes and Permissions

API keys can be scoped to limit what they are allowed to do. When you create a key, select only the scopes your application needs.

Scope Allows
skills:read List and retrieve skills
skills:write Create, update, and delete skills
agents:read List and retrieve agents
agents:write Create, update, and delete agents
plugins:read List and retrieve plugins
plugins:write Install, configure, and remove plugins
content:read List and retrieve content items
content:write Create, update, and delete content
mcp:read List and retrieve MCP server configurations
mcp:write Create and manage MCP server configurations

A key with no scopes selected will be rejected on all endpoints. You can combine scopes as needed. For example, a key with skills:read and agents:read can list skills and agents but cannot modify either.

Rotating Keys

You should rotate API keys periodically and immediately if you suspect a key has been compromised.

  1. Go to Settings then API Keys in the dashboard.
  2. Click Create API Key to generate a new key with the same scopes as the old one.
  3. Update your application to use the new key.
  4. Verify the new key works by making a test request.
  5. Click Revoke on the old key to disable it.

Revoked keys stop working immediately. Any in-flight requests using the old key will fail with a 401 Unauthorized response.

Security Best Practices

Follow these practices to keep your API keys safe.

Never commit keys to version control. Store API keys in environment variables or a secrets manager. Add your .env file to .gitignore.

# .env file (never commit this)
SYSTEMPROMPT_API_KEY=sp_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

// Read from environment
const apiKey = process.env.SYSTEMPROMPT_API_KEY;

Use the minimum scopes needed. A key that only needs to read skills should not have write access to agents. If a key is compromised, limited scopes reduce the potential damage.

Use separate keys for separate environments. Create different keys for development, staging, and production. Use sp_test_ keys during development so mistakes do not affect live data.

Set up key expiration. When creating a key, you can set an optional expiration date. Keys that expire automatically reduce the risk of forgotten, unused keys lingering in your infrastructure.

Monitor key usage. Check the API Keys page in the dashboard to see when each key was last used. Revoke any key that has been inactive for an extended period or is no longer needed.

Troubleshooting

401 Unauthorized -- "Invalid API key" The key is missing, malformed, or has been revoked. Double-check that you are sending it in the Authorization header with the Bearer prefix.

403 Forbidden -- "Insufficient scope" Your key does not have the required scope for this endpoint. Go to the dashboard, check the key's scopes, and either update them or create a new key with the correct scopes.

401 Unauthorized -- "Expired API key" The key has passed its expiration date. Generate a new key in the dashboard.

Key not shown after creation API keys are displayed only once at creation time. If you did not copy it, revoke the key and create a new one.