All API requests require a Bearer API key in the Authorization header.
Authorization: Bearer allowly_l1_s001_2y6r..._k9m3...Getting an API key
API keys are created from the Allowly dashboard. Each key is scoped to your workspace. Store it securely — it is only shown once at creation time.
For coding-agent setup, use the CLI setup flow. allowly login opens a browser approval screen and stores a CLI-scoped local credential. Your production backend should use a runtime API key.
Revoking a key
Keys can be revoked from the dashboard at any time. Revoked keys return 401 unauthorized immediately.
Warning:
Never expose your API key in client-side code, browser bundles, or public repositories. All API calls should be made server-side.