Authentication

API keys

API keys are scoped to a workspace — every call made with a key acts on that workspace's events and data. Keys look like gck_… and are sent in the x-api-key header:

curl https://api.gathercloud.dev/v1/events \
  -H "x-api-key: gck_..."

Getting a key

Dashboard: API Keys → Create key (workspace owners and admins). The full key is shown exactly once at creation — store it in your secrets manager; only a hash is kept on our side.
API: with an existing key you can mint additional ones:

curl -X POST https://api.gathercloud.dev/v1/api-keys \
  -H "x-api-key: gck_..." \
  -H "content-type: application/json" \
  -d '{ "name": "staging-backend" }'

Revoking & deleting

Revoke a key from the dashboard at any time — it stops working immediately. A revoked key stays listed for auditability; delete it from the dashboard once you no longer need the record.

Keep keys server-side

API keys grant full management access to the workspace. Never embed them in browser or mobile code — call the API from your backend. End-user surfaces (viewer, stage) use short-lived session tokens issued by GatherCloud and never need your API key.

Authentication ​

API keys ​

Getting a key ​

Revoking & deleting ​

Keep keys server-side ​

Authentication

API keys

Getting a key

Revoking & deleting

Keep keys server-side