Authorization: Bearer rw_your_api_key
Getting an API key
- Open your dashboard → Integration
- Click New API key, give it a name
- Copy the key — it is shown only once
- Under Access, select the point systems this key can interact with
A key with no point systems assigned has no access to any data or actions. Always scope keys to the minimum required point systems.
Scoping keys to point systems
Each API key is scoped to one or more point systems. Any request that references a pointSystemId not in that key’s scope will be rejected with a 403.
This lets you issue separate keys per application or environment:
| Key | Scoped systems | Use case |
|---|
rw_prod_... | Production system | Live app |
rw_staging_... | Staging system | CI / testing |
rw_readonly_... | Any system | Dashboard integrations |
API keys always start with rw_ followed by a 64-character hex string.
rw_384c65cdd3f5ff16edb2b7049bc8fe9ccfa2cbb7fd3b1e9c21b372a037279575
Error responses
| Status | Message | Cause |
|---|
401 | Missing API key | No Authorization header |
401 | Invalid API key format | Key doesn’t start with rw_ |
401 | Invalid API key | Key not found |
403 | This API key does not have access to the specified point system | Key not scoped to that pointSystemId |
