API keys

API keys are used to authenticate requests to the Lightfield API. Every request must include a valid API key in the Authorization header as a Bearer token:

curl https://api.lightfield.app/v1/accounts \
  -H "Authorization: Bearer sk_lf_0_..." \
  -H "Lightfield-Version: 2026-03-01"

Creating and revoking keys

API key management is restricted to admin users. Admins can create and revoke keys from the API keys settings page in the Lightfield dashboard. When you create a key, you choose which scopes to grant; the key can only perform operations allowed by those scopes.

API keys are only displayed once at the time of creation. Copy and store the key securely — you won’t be able to view it again. If you lose a key, you’ll need to create a new one.

Revoking an API key is immediate and permanent. Any integrations using the revoked key will stop working.

Permissions

By default, an API key inherits the roles of the admin who created it. This means the key can access the same resources and perform the same operations as that user.

Keep this in mind when creating keys for integrations — the key’s access level is tied to the creator’s roles at the time of creation.

Best practices

• Use the narrowest scope — Grant only the scopes an integration requires. Restricting scopes ensures that integrations cannot perform operations beyond their intended purpose.
• Keep keys secret — Never expose API keys in client-side code, public repositories, or logs. Use environment variables or a secrets manager.
• Use separate keys per integration — Create dedicated keys for each integration so you can revoke access independently without disrupting other services.
• Rotate keys periodically — Revoke old keys and create new ones on a regular cadence to limit the impact of any potential leak.