Guide
Authentication
Bearer API keys, audiences, scopes, and secure handling.
Bearer tokens
Every public API request requires Authorization: Bearer <key>. Do not put keys in query strings, browser bundles, or client-side storage.
curl https://api.statxe.com/api/v1/me \ -H "Authorization: Bearer stx_live_xxx"
Scopes
Keys are scoped. Missing a required scope returns missing_scope with a stable docs_url. Prefer least-privilege keys per integration (e.g. contacts:read only for a CRM sync reader).
Rotation
Create a replacement key, deploy it, then revoke the old key. Use separate keys for local, staging, and production. Redact keys in logs and observability tools.
TypeScript example
Keep the key on the server only.
const baseUrl = process.env.STATXE_API_BASE_URL ?? "https://api.statxe.com"
const apiKey = process.env.STATXE_API_KEY
if (!apiKey) throw new Error("Missing STATXE_API_KEY")
const res = await fetch(`${baseUrl}/api/v1/me`, {
headers: { Authorization: `Bearer ${apiKey}` },
})
if (!res.ok) {
throw new Error(`STATXE API error ${res.status}: ${await res.text()}`)
}
console.log(await res.json())