Authentication
The API supports two authentication methods. Pick by use case:
| Method | Header format | Use for |
|---|---|---|
| API key | Authorization: Key <secret>-<teamId> | Server-to-server automations, integrations, scripts |
| Bearer JWT | Authorization: Bearer <firebase-id-token> | Dashboard, MCP servers, first-party tooling |
Both methods authenticate as the root team that owns the credential.
Child-team scoping isn’t supported in /v1 — automations always act as the
root.
API key
Section titled “API key”Generate keys in Settings → Developers. Only team owners of a root team can manage keys.
The plaintext secret is shown once, on creation. We only store a bcrypt hash — if you lose it, revoke the key and create a new one.
The bearer value is <secret>-<teamId>, joined by a hyphen. The team id
suffix is what lets the server look up the right team without paying for a
brute-force scan over every team’s hashes.
curl https://api2.choppity.com/v1/ping \ -H "Authorization: Key 9f8e7d6c-5b4a-3c2b-1a09-0f8e7d6c5b4a-team_abc123"const res = await fetch('https://api2.choppity.com/v1/ping', { headers: { Authorization: `Key ${process.env.CHOPPITY_KEY}` },});requests.get( "https://api2.choppity.com/v1/ping", headers={"Authorization": f"Key {os.environ['CHOPPITY_KEY']}"},)Bearer JWT
Section titled “Bearer JWT”Used by the dashboard. Required for credential management endpoints
(/keys, /webhooks) — an API-key-authenticated caller cannot mint or
revoke keys/webhooks. This prevents privilege escalation if a key leaks.
curl https://api2.choppity.com/v1/ping \ -H "Authorization: Bearer $FIREBASE_ID_TOKEN"Errors
Section titled “Errors”A request without an Authorization header, or with an invalid credential,
returns 401:
{ "error": { "code": "UNAUTHORIZED", "message": "Authentication required" }}A request authenticated with an API key against a JWT-only endpoint also
returns 401:
{ "error": { "code": "UNAUTHORIZED", "message": "Firebase JWT required for this endpoint" }}