Authentication

Every request is authenticated with a bearer token. Tokens are created in the dashboard under /app/keys and live in two environments: test (sandbox, no money moves) and live.

Header

Authorization: Bearer bq_live_AbCdEfGhIjKlMnOp...

Test vs live

Test keys are prefixed bq_test_; live keys are prefixed bq_live_. Both authenticate against the same endpoints; the platform routes the call based on the prefix. Test keys are free and unlimited.

Where keys live

• Keep keys out of the browser and out of git. The bq_live_ prefix is your friend — a leaked live key is a billable incident.
• Rotate any key on demand at /app/keys. Issuing a live key is a step-up verified action.

If a key leaks

Revoke it from /app/keys — revocation is immediate. Requests with a revoked key return 401 Unauthorized within seconds of revocation.

Errors

HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "error": {
    "type": "auth_invalid",
    "message": "API key not recognized or has been revoked.",
    "request_id": "req_8x9..."
  }
}