Authentication

Every request to the SkipUp API must include a valid API key. This page covers how authentication works, what scopes control, and how to keep your keys secure.

API keys

API keys authenticate your requests. Each key is tied to your workspace and has a set of scopes that control what it can access.

Keys use the prefix sk_ so you can identify them easily. For example:

sk_live_abc123def456...

Creating a key

1. Go to Settings > API Keys
2. Click Create API Key
3. Enter a descriptive name (e.g., “Production integration” or “CI pipeline”)
4. Select the scopes the key needs
5. Click Create

Note

Your key is displayed only once at creation. Copy it immediately. SkipUp stores a SHA-256 digest of the key — the original value cannot be retrieved later.

Using your key

Include the key in the Authorization header as a Bearer token:

curl https://api.skipup.ai/api/v1/meeting_requests \
  -H "Authorization: Bearer sk_live_your_key_here"

If the key is missing or invalid, you’ll receive a 401 Unauthorized response:

{
  "error": {
    "type": "authentication_error",
    "message": "Invalid or missing API key."
  }
}

Scopes

Scopes limit what an API key can do. When you create a key, choose only the scopes your integration actually needs.

Scope	Grants access to
meeting_requests.read	List and view meeting requests
meeting_requests.write	Create, cancel, and modify meeting requests
members.read	List workspace members
members.write	Add and deactivate workspace members
webhooks.read	List and view webhook endpoints
webhooks.write	Create, update, and delete webhook endpoints
api_keys.read	List API keys
api_keys.write	Create and delete API keys
seats.read	View seat usage and capacity
seats.write	Assign seats and update capacity

If a key lacks the required scope for a request, you’ll receive a 403 Forbidden response:

{
  "error": {
    "type": "forbidden",
    "message": "This API key does not have the required scope."
  }
}

Tip

Follow the principle of least privilege. Create separate keys for different integrations, each with only the scopes it needs.

Key rotation

Rotating keys regularly reduces the risk if a key is ever compromised. To rotate a key:

1. Create a new API key with the same scopes
2. Update your application to use the new key
3. Verify the new key is working correctly
4. Delete the old key in Settings > API Keys

There is no downtime during rotation — both keys work until you delete the old one.

Deleting a key

To revoke a key immediately:

1. Go to Settings > API Keys
2. Find the key you want to remove
3. Click Delete

Any request made with a deleted key will immediately return 401 Unauthorized.

Security best practices

• Never commit keys to source control. Use environment variables or a secrets manager instead.
• Use separate keys per environment. Create distinct keys for development, staging, and production.
• Limit scopes. Give each key only the permissions it needs.
• Rotate keys periodically. Replace keys on a regular schedule, even if you don’t suspect a compromise.
• Delete unused keys. If an integration is decommissioned, remove its key right away.
• Monitor key usage. Review your active keys in Settings > API Keys and remove any you don’t recognize.

Note

If you believe a key has been compromised, delete it immediately and create a replacement. All requests using the compromised key will stop working as soon as you delete it.