IA

insp.ac API

Developer platform

Authentication

All API requests are authenticated with a Bearer token in the Authorization header. Tokens are long-lived API keys generated from your organization settings.

How it works

Every request to the insp.ac API must include a valid API key as a Bearer token. The key identifies both your organization and the permissions granted to that particular integration.

Example request

curl -X GET https://api.insp.ac/v1/issues \
  -H "Authorization: Bearer sk_live_your_api_key_here" \
  -H "Content-Type: application/json"

Creating API keys

API keys are created and managed from your organization settings dashboard. Each key can be configured with a name, optional expiration date, and a set of scopes that control which operations it can perform.

PrefixEnvironmentUsage
sk_live_*ProductionLive API access with real data
sk_test_*SandboxTesting and development without side effects

Tip

Name your keys after the integration or service that uses them. This makes it easier to rotate or revoke a specific key without disrupting unrelated workflows.

Key security

API keys carry the full permissions of their assigned scopes. Treat them like passwords and follow these practices:

  • Store keys in environment variables or a secrets manager, never in source code.
  • Only use keys in server-side environments. Never expose them in browser or mobile client code.
  • Use the narrowest scopes necessary for each integration.
  • Rotate keys on a regular cadence and immediately after any suspected exposure.

Important

If a key is compromised, revoke it immediately from your organization settings. Active requests using the revoked key will begin failing with a 401 response.

Error responses

Authentication failures return standard HTTP status codes with a machine-readable error body.

StatusMeaningAction
401Missing or invalid API keyCheck the Authorization header format and key validity
403Valid key but insufficient scopesAssign the required scopes to the key

401 response body

{
  "error": "Authentication required",
  "code": "UNAUTHORIZED"
}

SDK usage

All official SDKs accept the API key at client initialization and attach it to every request automatically.

TypeScript SDK

import { InspAcClient } from "@inspac/sdk";

const client = new InspAcClient({
  apiKey: process.env.INSPAC_API_KEY
});

const issues = await client.issues.list();

Python SDK

from inspac import InspAcClient

client = InspAcClient(api_key=os.environ["INSPAC_API_KEY"])

issues = client.issues.list()