Getting started

Authentication

API keys authenticate SDKs. JWTs authenticate dashboard users. Don't mix them up.

API keys

API keys authenticate the ingest path only. Create them in the admin panel under Workspace → API keys. Keys look like:

text

tm_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Send the key as the X-API-Key header:

bash

curl https://ingest.tapemetric.com/v1/ingest/events \
  -H "X-API-Key: tm_live_..." \
  -H "Content-Type: application/json" \
  -d '{"events":[...]}'

The Authorization: Bearer tm_live_... header is also accepted.

Key storage

We store the SHA-256 hash of every key; the plaintext is returned exactly once at creation. If you lose a key, revoke it and create a new one.

Environments

Each key is tagged production, staging, or development. Use separate keys per environment so you can revoke without side effects.

Client-embedded API keys are public by design. Don’t put sensitive scopes on them. They only carry ingest:write, which can’t read any analytics data.

JWT bearer tokens (admin panel)

The admin panel authenticates users with JWT bearer tokens. Tokens are issued byPOST /v1/auth/login and expire in 24 hours.

bash

curl -X POST https://api.tapemetric.com/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@company.com","password":"..."}'

json

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "bearer",
  "tenant_slug": "tapemetric",
  "user": { "id": 42, "email": "you@company.com", "role": "owner" }
}

Then include the token on every protected call:

bash

curl https://api.tapemetric.com/v1/analytics/overview \
  -H "Authorization: Bearer eyJhbGci..."

Scopes

Scope	Applies to	Grants
`ingest:write`	API keys	POST /v1/ingest/*
`analytics:read`	JWT	GET /v1/analytics/*
`keys:manage`	JWT (admin role)	POST/DELETE /v1/api-keys
`settings:write`	JWT (owner role)	Workspace settings, billing