When calling the the API, you need to authenticate yourself. To do so, you need to include a workspace secret key in each request. You can find that key at the workspace settings page.

Your secret key carries many privileges, so it's very important to keep it to yourself!
  • Never push your secret key to public repositories on GitHub, BitBucket or the likes.
  • Never call the API from the client's browser (e.g. using $.ajax), as this will require you to publicly expose your secret key.

Authentication to the API is performed via HTTP Basic Auth.

Provide the workspace secret key as the username value. You do not need to provide a password. API requests without authentication will fail.

Using curl#

curl uses the -u flag to pass basic auth credentials. Adding a colon (:) after your API key prevents cURL from asking for a password.

curl https://api-{region} -u 550e8400-e29b-41d4-a716-446655440000:

Using a http header#

In general, you need to set a header called Authorization with value “Basic x”, where x is your workspace secret key with a colon, base64 encoded.


1. Take your workspace secret key550e8400-e29b-41d4-a716-446655440000
2. append a colon (:)550e8400-e29b-41d4-a716-446655440000:
3. base64-encode itNTUwZTg0MDAtZTI5Yi00MWQ0LWE3MTYtNDQ2NjU1NDQwMDAwOg==
4. put it in an Authorization headerAuthorization: Basic NTUwZTg0MDAtZTI5Yi00MWQ0LWE3MTYtNDQ2NjU1NDQwMDAwOg==
curl https://api-{region} -H "Authorization: Basic NTUwZTg0MDAtZTI5Yi00MWQ0LWE3MTYtNDQ2NjU1NDQwMDAwOg=="

Using one of the client libs#

All of the client libraries support authentication with the API, so you don't have to fiddle with authorization headers and base64 encoding.

use Seatsio\Region;
use Seatsio\SeatsioClient;
new SeatsioClient(Region::EU(), <WORKSPACE SECRET KEY>);

Using the company admin key#

Instead of the workspace secret key, you can pass in your company admin key for authentication. The admin keys has privileges to access and modify data in all workspaces. You can find it at your company settings page.

To specify the workspace, pass in the X-Workspace-Key header. That header should contain the public workspace key.

If you don't provide the X-Workspace-Key header, API calls with the company admin key operate on the default workspace for your company.

The company admin key should never leave your server!