Getting Started
Authentication
The three credential types the Dorascribe API uses and where each applies.
The Dorascribe API uses three kinds of credentials depending on which surface you're calling. All of them are sent as request headers — never in the body.
Organization API key
Your organization API key authenticates the External API and Widget API. Send it in either header form:
# Preferred
X-API-Key: org_your_api_key_here
# Also accepted
Authorization: Bearer org_your_api_key_here
The API key must be provided in a header. It cannot be sent in the request body and will not be read from there.
Access tokens (Prepaid Credits)
Organizations on Prepaid Credits issue per-user access tokens. Unlike the
API key, an access token is passed in the request body of widget calls that
require it (for example token on /widget/init). Manage them with the
/external/access-tokens endpoints. On Pay-as-You-Use, access tokens are
optional. See Billing models for the difference.
Dashboard bearer token
The Organization Dashboard endpoints (credit balance, usage logs, transactions) are used by signed-in users and authenticate with a Sanctum bearer token rather than the org API key:
Authorization: Bearer your_sanctum_token_here
Which credential goes where
| API surface | Credential | Sent in |
|---|---|---|
| External API (access tokens) | Organization API key | Header |
| Widget API (init, generate, templates…) | Organization API key | Header |
| Widget access token (Prepaid) | Access token | Request body |
| Organization Dashboard | Sanctum bearer token | Header |
Full per-endpoint requirements are in the API Reference.

