Getting Started

Authentication

The three credential types the Dorascribe API uses and where each applies.

The Dorascribe API uses three kinds of credentials depending on which surface you're calling. All of them are sent as request headers — never in the body.

Organization API key

Your organization API key authenticates the External API and Widget API. Send it in either header form:

Shell
# Preferred
X-API-Key: org_your_api_key_here

# Also accepted
Authorization: Bearer org_your_api_key_here

The API key must be provided in a header. It cannot be sent in the request body and will not be read from there.

Access tokens (Prepaid Credits)

Organizations on Prepaid Credits issue per-user access tokens. Unlike the API key, an access token is passed in the request body of widget calls that require it (for example token on /widget/init). Manage them with the /external/access-tokens endpoints. On Pay-as-You-Use, access tokens are optional. See Billing models for the difference.

Dashboard bearer token

The Organization Dashboard endpoints (credit balance, usage logs, transactions) are used by signed-in users and authenticate with a Sanctum bearer token rather than the org API key:

Shell
Authorization: Bearer your_sanctum_token_here

Which credential goes where

API surfaceCredentialSent in
External API (access tokens)Organization API keyHeader
Widget API (init, generate, templates…)Organization API keyHeader
Widget access token (Prepaid)Access tokenRequest body
Organization DashboardSanctum bearer tokenHeader

Full per-endpoint requirements are in the API Reference.