Authentication
Private beta. Self-serve key provisioning ships with the platform-console release. In the meantime, join the waitlist and we'll mint your key manually — usually within a day.
Every request carries a Bearer key. Keys are prefixed and hashed server-side, scoped to a tenant, and revocable without downtime.
API key header
Send your key in the X-Goable-Key header on every request:
X-Goable-Key: sk_live_xxxxxxxxxxxxxxxxxxxxxxxxWith the SDK you pass it once to the constructor and it's attached to every call:
const goable = new GoableClient({ apiKey: process.env.GOABLE_API_KEY! })
How keys are stored
A key is a single opaque string. Server-side, the first 16 characters are kept as an indexed prefix for fast lookup; the full token is verified against a SHA-256 hash. The raw token is shown once at creation and never stored in plaintext — if you lose it, rotate.
Rotating & revoking
Issue and revoke keys from the admin dashboard. Revocation is immediate: the next request with a revoked key returns 401 UNAUTHORIZED. Rotate by issuing a new key, moving traffic, then revoking the old one — there is no downtime.
Test vs live
Keys are minted as test or live. Test keys exercise the full engine but are tagged in the audit log and excluded from billing and the research dataset. Use them in CI and staging.