DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS
API·AUTHENTICATION

Authentication

Every request to /api/public/v1/* must include an API key.

Key format

Keys look like onn_live_<48 hex characters> — a public prefix and an opaque secret. The prefix identifies the key for lookup; the secret is hashed with argon2id and is never stored in plaintext.

Sending the key

Pass the key in the Authorization header using the Bearer scheme:

Authorization: Bearer onn_live_a1b2c3d4...

Scopes

Each key carries a set of scopes that limit which endpoints it can call:

  • tables:read, tables:write
  • pages:read
  • skills:read
  • tasks:read

If a key is missing the required scope for an endpoint, the response is 403 forbidden.

Key lifecycle

  • Keys can be revoked at any time from workspace settings — revoked keys stop working immediately.
  • The last_used_at timestamp updates on every successful request (debounced to once per 60 s) so you can audit what's still in use.
  • Workspace admins are the only members who can create or revoke keys.
//WATCH OUT

Treat keys like passwords. Never commit them to a repo, never paste them in chat. If a key leaks, revoke and rotate immediately.