Authentication
API key
All requests must include your API key in the Authorization header:
Authorization: Bearer YOUR_API_KEYIf the header is missing or the key is invalid, the API returns 401 Unauthorized.
Workspace scope
Each API key is bound to one workspace at the time of creation. Requests made with that key operate within that workspace only — the key cannot access other workspaces, even if your account is a member of them.
Access rules
What you can access depends on your role in the workspace and on individual projects:
- Workspace members (Owner, Manager, Member) can access projects that allow workspace-wide visibility.
- Project members can always access the projects they belong to.
- Connected-project participants can access projects shared from another workspace.
Some endpoints require a minimum project role to write data:
| Endpoint | Minimum required role |
|---|---|
| Create Comment | Owner, Manager, Member, Reviewer, or RestrictedReviewer |
| Update Status | Owner, Manager, Member, Reviewer, or RestrictedReviewer |
| Add Reaction | Owner, Manager, Member, Reviewer, or RestrictedReviewer |
| Remove Reaction | Owner, Manager, Member, Reviewer, or RestrictedReviewer |
If your key has read access to a resource but not write access, the API returns 403 Forbidden.
Restricted reviewers
Restricted reviewers only receive versions that have been explicitly marked for restricted access. Other versions in the same project are not returned to them.