Authentication
Every public API request is authenticated with a workspace API key. The key identifies your workspace — treat it like a password.
Creating a key
- In the app, go to API Keys.
- Create a key and give it a name (e.g. "Landing page").
- Copy it immediately — the full key is shown only once. If you lose it, revoke it and create a new one.
Keys can be revoked at any time from the same page; a revoked key stops working instantly.
Sending the key
Pass the key on every request in either of these headers:
Authorization: Bearer YOUR_API_KEY
or
X-API-Key: YOUR_API_KEY
Authorization: Bearer is the recommended form.
Example
curl https://crm.api.kushicorp.com/public/v1/collections/COLLECTION_ID/schema \
-H "Authorization: Bearer YOUR_API_KEY"
A missing or invalid key returns 401:
{ "error": "invalid or missing API key" }
Keep keys server-side where you can. If a key must live in client-side/browser code (e.g. a static landing page), scope your use to record creation and rotate the key if it's ever exposed.