API authentication
Personal access tokens for the Data API.
The Data API requires a personal access token (PAT). The Avatar API is public and unauthenticated.
Personal access tokens
PATs look like sk_live_.... Pass in the Authorization header:
curl -H "Authorization: Bearer sk_live_abcdef..." \
https://app.seedkit.dev/api/v1/data/identities
A PAT is org-scoped — it authorizes any org-level API call your plan grants. The CLI uses the same token type, read from the SEEDKIT_TOKEN environment variable.
Minting a token
Two ways:
- CLI: run
seedkit login. Opens a browser, mints a token, writes~/.seedkit/credentials(mode0600). - Dashboard: Settings → Tokens → New token. Copy and store immediately — we hash on the server, so we can't show it again.
Revocation
Revoke from Settings → Tokens at any time. Revocation takes effect within seconds — in-flight requests with that token will start returning 401 unauthorized.
CORS
The Data API does not support browser-origin CORS. PATs grant org-wide access, so they shouldn't ride along in a browser anyway. Call the API from your backend, a CI runner, or a build script.
The Avatar API serves Access-Control-Allow-Origin: * and is safe to embed in <img> tags from any origin.
See also
- Data API — request shape, datasets, plan gating.
- Authentication (CLI)