Authentication¶
The GoByte API authenticates every request with an API key. There are no sessions or cookies for API access — each request must carry your key.
The Authorization header¶
Pass your key as a Bearer token on every request:
All live keys start with the gb_live_ prefix so they are easy to recognize in
logs and code review. A request without a valid key returns 401.
Creating a key¶
Keys are minted from Settings → API Keys in the dashboard. When you create a key, GoByte shows the full value once. Copy it immediately — GoByte stores only a SHA-256 hash of the key and can never reveal it again. If you lose a key, delete it and create a new one.
Scopes¶
Each key is granted a set of scopes that limit what it can do. Grant the minimum a given integration needs.
| Scope | Grants |
|---|---|
links:read |
List and read links and their details. |
links:write |
Create and update links. |
links:delete |
Delete (deactivate) links. |
analytics:read |
Read click analytics for links. |
workspaces:read |
Read workspace information. |
A call that requires a scope your key does not hold returns 403.
Security best practices¶
Keep keys secret
Never commit keys to version control, embed them in front-end code, or paste them into shared documents. Store them in a secrets manager or environment variables.
Keys are hashed at rest
GoByte stores only a SHA-256 hash of each key. Even GoByte cannot recover the original value, which is why it is shown only at creation time.
Use least privilege
Give each key only the scopes it needs. A key used only to read analytics
should not carry links:delete.
Use separate keys per integration
Issue a distinct key for each app or service. If one is compromised you can revoke it without disrupting the others.
Rotating keys¶
Rotate keys periodically and immediately if one may have been exposed:
- Create a new key. Mint a fresh key with the same scopes in the dashboard.
- Update your integration. Deploy the new key to your app or secrets store.
- Delete the old key. Remove the previous key. It stops working immediately.
Info
Deleting a key takes effect right away. Roll out the replacement before deleting the old one to avoid downtime.