Authentication
API keys belong to a workspace, not to your personal account. Send a workspace API key on every request using either header:
Authorization: Bearer <workspace_api_key>X-Api-Key: <workspace_api_key>
Create a workspace from /onboarding (optional ?team=<slug> when inviting). Track (Free vs Hobby vs Pro vs Business) is set from the pricing CTAs or POST /api/onboarding/intent, not query params; Hobby and Pro let you choose personal vs shared workspace onboarding. Invitees must sign in once first so their email is on file. Manage keys from each workspace dashboard. In production, account pages run on https://sift.nu, and Pro/Business workspace dashboards run on https://workspace.sift.nu (with compatibility redirects from legacy /w/<slug>/<tab> links). Revoked keys return 401 immediately.
Security practices
- Treat API keys like passwords: store them in environment variables or a secret manager, not in client-side code or public repositories.
- Prefer
Authorization: Bearer …if your HTTP client makes it easy to attach consistently;X-Api-Keyis equivalent for this API. - Rotate keys from the workspace dashboard if a key is exposed. Old keys stop working as soon as they are revoked.
Methods
Detection endpoints accept only GET, POST, and OPTIONS. Other methods receive 405 Method not allowed with a JSON body.
Email conversation replies
Support and admin emails use the normal support mailbox as Reply-To, and each outbound subject includes a stable [ref:...] token for thread routing. Configure Resend inbound webhooks for email.received and set RESEND_INBOUND_SIGNING_SECRET. Fallback routing uses the same support mailbox from RESEND_FROM when no category override exists.
Auth failure responses
Missing and invalid keys both return 401 with different error messages. This helps clients choose whether to prompt for credentials or rotate a key.
{
"error": "Missing workspace API key. Send Authorization: Bearer <token> or X-Api-Key",
"responseTimeMs": 0
}{
"error": "Invalid or revoked workspace API key",
"responseTimeMs": 1
}