Authentication
How to authenticate against the Scripto HTTP API — the Authorization Bearer header, the scripto_ key prefix, and how keys are minted.
The scripto CLI handles auth for you after scripto auth login-complete or scripto config set --api-key. Use the header below only when calling the API directly.
The header
Send your key as a Bearer token on every authenticated route:
| Header | Value |
|---|---|
Authorization | Bearer scripto_… |
curl -sS https://scripto.codika.io/api/articles \
-H "Authorization: Bearer $SCRIPTO_API_KEY"A missing or invalid key returns 401 unauthenticated.
Key prefix
Every CLI key starts with scripto_. Keys are owned by a single user (their referenceId), and every data route scopes its rows to that user — see per-user scoping.
Where keys come from
| Path | How |
|---|---|
| OTP | POST /api/cli/login-request then POST /api/cli/login-complete returns a key. Backs scripto auth …. See CLI auth. |
| Web Settings | Mint a named key in the app; the raw value is shown once. |
POST /api/keys | Mint a key for the authenticated principal (web-session scoped). See create key. |
The raw secret is returned only at creation and is never retrievable again. Listing keys returns metadata only.
Two auth paths coexist
The CLI uses static scripto_ Bearer keys. Desktop/web agents use a per-user OAuth access token over the MCP connector. Both resolve, server-side, to the same userId and the same per-user authorization rule — the apiKey and OAuth paths sit side by side over one user table.
Next
- API keys — the full key policy (long-lived, named, revocable).
- CLI auth (OTP) — the public provisioning routes.