Authentication

Every request to a Simwood service must be authenticated. Machine-to-machine integrations authenticate with an API key sent as a Bearer token. The same key and mechanism work across every service on the platform.

Get an API key

API keys are issued from the Customer Portal. Keys look like:

sk_live_<48 hex characters>

The full key is shown once, at the moment it is created. Store it securely — Simwood only keeps a hash and cannot show it to you again. If a key is lost or leaked, revoke it and issue a new one.

Keys do not expire and have no refresh flow. Revocation is immediate.

Authenticate a request

Send the key in the Authorization header as a Bearer token:

curl https://api.simwood.com/{service}/{version}/... \
  -H "Authorization: Bearer sk_live_abc123..."

You can also paste a key into the Test Request panel in any service's API reference to try endpoints live from your browser.

Scopes

Authentication proves who you are; scopes control what you can do. Each key is granted a set of scopes following the pattern resource:action:

Action Grants
<service>:read Read operations — list and retrieve resources
<service>:write Create and modify resources
<service>:delete Delete resources
<service>:admin Administrative operations

Each service defines its own scopes under its own name — for example, the Conversation Intelligence service uses intelligence:read, intelligence:write, and so on. See a service's pages for the exact scopes it defines.

A request made with a key that lacks the required scope is rejected with 403 Forbidden. Request the scopes you need when you create a key in the portal.

For the JSON error shape returned on authentication and authorization failures, see Platform conventions.