Authentication

All API requests must include your API key. Generate keys from Dashboard → API → API Keys. Each key is shown once; store it securely.

Bearer token (recommended)

Send your API key in the Authorization header. Keys start with fce_.

http
Authorization: Bearer fce_xxxxxxxxxxxxxxxxxxxx

Query parameter

Alternatively, pass api_key=fce_xxxx as a query parameter (e.g. for WebSocket). Prefer the header in production to avoid key leakage in logs.

Security

  • Never commit API keys to version control. Use environment variables or a secrets manager.
  • Rotate keys periodically from Dashboard → API → API Keys. Revoke compromised keys immediately.
  • Use HTTPS only; the API does not accept plain HTTP.

Invalid key responses

All auth errors return HTTP 401 with one of the following bodies:

401Missing or malformed key

json
{
  "success": false,
  "error": "unauthorized",
  "message": "Missing or invalid API key. Pass your key in the Authorization header: Bearer fce_..."
}

401Revoked key

json
{
  "success": false,
  "error": "key_revoked",
  "message": "This API key has been revoked. Generate a new key at freecustom.email/dashboard/api."
}