API reference

Guide

Authentication

Bearer API keys, audiences, scopes, and secure handling.

Bearer tokens

Every public API request requires Authorization: Bearer <key>. Do not put keys in query strings, browser bundles, or client-side storage.

curl https://api.statxe.com/api/v1/me \
  -H "Authorization: Bearer stx_live_xxx"

Scopes

Keys are scoped. Missing a required scope returns missing_scope with a stable docs_url. Prefer least-privilege keys per integration (e.g. contacts:read only for a CRM sync reader).

Rotation

Create a replacement key, deploy it, then revoke the old key. Use separate keys for local, staging, and production. Redact keys in logs and observability tools.

TypeScript example

Keep the key on the server only.

const baseUrl = process.env.STATXE_API_BASE_URL ?? "https://api.statxe.com"
const apiKey = process.env.STATXE_API_KEY
if (!apiKey) throw new Error("Missing STATXE_API_KEY")

const res = await fetch(`${baseUrl}/api/v1/me`, {
  headers: { Authorization: `Bearer ${apiKey}` },
})
if (!res.ok) {
  throw new Error(`STATXE API error ${res.status}: ${await res.text()}`)
}
console.log(await res.json())