Authentication
Secret keys, public keys, scopes, and sandbox vs live.
SoftSolz uses two kinds of keys.
| Key | Prefix | Used for | Where |
|---|---|---|---|
| Secret key | sk_test_* / sk_live_* | Server-to-server API calls | Backend only - never ship in a browser |
| Public key | pk_test_* / pk_live_* | Embed widgets | Safe in the browser, locked to a domain allowlist |
Legacy svai_test_* / svai_live_* secret keys keep working.
Secret keys
Send the key as a Bearer token:
curl https://app.softsolz.uk/api/v1/services/forms/forms \ -H "Authorization: Bearer sk_live_your_key"Test vs live
sk_test_* keys route to your paired sandbox workspace; sk_live_* keys hit live data. Test keys never see live data, and live keys never see sandbox data.
Scopes
Every key carries service.<service>.<action> scopes (for example service.forms.submit). A request missing the required scope returns 403 with code: missing_scope. A key can only be created with scopes the creator's role already grants.
Keep secret keys secret
sk_* keys grant full server access. Store them in your server environment, never in client-side code or a public repo. Rotate immediately if one leaks.
Caps
Up to 100 active API keys per workspace.