Skip to content

Authentication

The GoByte API authenticates every request with an API key. There are no sessions or cookies for API access — each request must carry your key.

The Authorization header

Pass your key as a Bearer token on every request:

Authorization: Bearer gb_live_sk_your_key_here

All live keys start with the gb_live_ prefix so they are easy to recognize in logs and code review. A request without a valid key returns 401.

Creating a key

Keys are minted from Settings → API Keys in the dashboard. When you create a key, GoByte shows the full value once. Copy it immediately — GoByte stores only a SHA-256 hash of the key and can never reveal it again. If you lose a key, delete it and create a new one.

Scopes

Each key is granted a set of scopes that limit what it can do. Grant the minimum a given integration needs.

Scope Grants
links:read List and read links and their details.
links:write Create and update links.
links:delete Delete (deactivate) links.
analytics:read Read click analytics for links.
workspaces:read Read workspace information.

A call that requires a scope your key does not hold returns 403.

Security best practices

Keep keys secret

Never commit keys to version control, embed them in front-end code, or paste them into shared documents. Store them in a secrets manager or environment variables.

Keys are hashed at rest

GoByte stores only a SHA-256 hash of each key. Even GoByte cannot recover the original value, which is why it is shown only at creation time.

Use least privilege

Give each key only the scopes it needs. A key used only to read analytics should not carry links:delete.

Use separate keys per integration

Issue a distinct key for each app or service. If one is compromised you can revoke it without disrupting the others.

Rotating keys

Rotate keys periodically and immediately if one may have been exposed:

  1. Create a new key. Mint a fresh key with the same scopes in the dashboard.
  2. Update your integration. Deploy the new key to your app or secrets store.
  3. Delete the old key. Remove the previous key. It stops working immediately.

Info

Deleting a key takes effect right away. Roll out the replacement before deleting the old one to avoid downtime.