Skip to main content

API Keys

All Partner API requests require a Bearer token in the Authorization header. API keys are prefixed with pk_live_. 
Authorization: Bearer pk_live_abc123...

Generating an API Key

  1. Log in to the Puffle dashboard
  2. Navigate to Settings → API
  3. Click Generate API Key
  4. Copy and store the key — it is shown only once
Each account has one active API key at a time. Generating a new key does not automatically revoke the previous one — you must revoke it explicitly.

Revoking an API Key

Keys can be revoked from the dashboard or via the API: 
curl -s -X DELETE \
  -H "Authorization: Bearer pk_live_abc123" \
  "https://app.getlima.ai/api/v1/partners/api-key"
Revocation is immediate — any in-flight requests using the revoked key will fail with 401.

Session Authentication

A small set of account-management endpoints — specifically those that create, view, and revoke API keys (/api/v1/partners/api-key) — use session-based authentication (browser cookies) rather than Bearer tokens. These are designed to be called from the Puffle dashboard UI, not from your backend. The webhook portal endpoint (/api/v1/partners/portal) uses Bearer token authentication.

Security Best Practices

API keys grant full access to your Puffle account. Always make API calls from your backend — never from browser JavaScript or mobile apps where the key could be extracted.
Store your key in an environment variable (PUFFLE_API_KEY) and reference it in code. Never hard-code keys or commit them to version control.
Generate a new key and update your services before revoking the old one to avoid downtime.
Use the Puffle dashboard to review API key usage. If you detect unexpected activity, revoke the key immediately.

Error Responses

StatusCodeCause
401unauthorizedMissing, malformed, or revoked Bearer token
403forbiddenValid token but insufficient permissions
{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid authentication credentials."
  }
}