Authentication
Exchange an API key for a short-lived Bearer access token
Authenticating to the Voodoo Center API is a two-credential flow:
- A long-lived API key (
ak_...) that you create and manage in the dashboard. - A short-lived access token (a Bearer JWT) that you obtain by exchanging the API key, and send on every API request.
You never send the raw API key to the API endpoints — you exchange it for a token first, then authenticate with the token.
1. Create an API key
In the dashboard, open the API page and create a key.
- The raw key is shown once, at creation, in the format
ak_.... Copy it immediately and store it somewhere secret — it is hashed server-side and can never be recovered. - You can create, list and revoke keys from the same page. Revoking a key immediately blocks any new token exchanges with it (tokens already issued remain valid until they expire).
Treat an ak_ key like a password. If it leaks, revoke it in the dashboard and
create a new one.
2. Exchange the key for an access token
POST your key to the token endpoint. The response contains an
access_token valid for 2 hours (it carries origin=api).
cURL
Python
If the key is unknown or revoked you get 401 with {"error": "Invalid credentials"}. If API-key auth is not enabled for your account’s domain you get
403.
3. Call the API with the token
Send the token in the Authorization header as a Bearer credential on every
request:
cURL
Python
Token lifetime and refresh
Access tokens expire 2 hours after they are issued. There is no refresh
token — when a token expires (or you get a 401 with
code: "not_authenticated"), simply exchange your API key again for a fresh
token.
A common pattern is to cache one token in memory and re-exchange when it is
close to expiry (or lazily, on the first 401).
A single API key can be exchanged as often as you need. Keep the key secret and the tokens short-lived — don’t persist tokens longer than their 2-hour window.
Authenticating the API Explorer
You don’t have to run this two-step flow by hand to try the API. The interactive API Explorer in the API Reference does the token exchange for you:
- Enter only your
ak_API key in the Explorer’s authorization panel. - When you run any endpoint, the Explorer calls
POST /api/v1/auth/token/clientwith your key, reads back theaccess_token, and sends it asAuthorization: Bearer <token>automatically. - You never paste a JWT, and you don’t authorize the token endpoint itself (it’s public).
The Explorer runs from docs.voodoo.center, which is allow-listed by the API’s
CORS policy, so its live requests reach the API and the token endpoint directly
from your browser.
Transport
All access is over https://api.voodoo.center, which is fronted by Cloudflare.
Always use HTTPS; plain-HTTP requests are not supported.