Authentication
Every request to a Simwood service must be authenticated. Machine-to-machine integrations authenticate with an API key sent as a Bearer token. The same key and mechanism work across every service on the platform.
Get an API key
API keys are issued from the Customer Portal. Keys look like:
sk_live_<48 hex characters>
The full key is shown once, at the moment it is created. Store it securely — Simwood only keeps a hash and cannot show it to you again. If a key is lost or leaked, revoke it and issue a new one.
Keys do not expire and have no refresh flow. Revocation is immediate.
Authenticate a request
Send the key in the Authorization header as a Bearer token:
curl https://api.simwood.com/{service}/{version}/... \
-H "Authorization: Bearer sk_live_abc123..."
You can also paste a key into the Test Request panel in any service's API reference to try endpoints live from your browser.
Scopes
Authentication proves who you are; scopes control what you can do. Each key is granted a set of scopes following the pattern resource:action:
| Action | Grants |
|---|---|
<service>:read |
Read operations — list and retrieve resources |
<service>:write |
Create and modify resources |
<service>:delete |
Delete resources |
<service>:admin |
Administrative operations |
Each service defines its own scopes under its own name — for example, the Conversation Intelligence service uses intelligence:read, intelligence:write, and so on. See a service's pages for the exact scopes it defines.
A request made with a key that lacks the required scope is rejected with 403 Forbidden. Request the scopes you need when you create a key in the portal.
For the JSON error shape returned on authentication and authorization failures, see Platform conventions.