Slab5

API authentication

Use a workspace-scoped bearer token on every API request.

For the account-created personal workspace path, see Personal workspace lifecycle.

Bearer auth

Tokens are scoped to one workspace and carry explicit permission scopes. Send the token on every request with the Authorization header.

Workspace API keys are created from the control plane. The full secret is shown once, then Slab5 stores only a prefix and hash. API keys can be scoped, listed, edited, and revoked from the workspace.

Admin console lifecycle

Workspace owners and admins can use the Slab5 console for the first credential-management loop:

  • Create a workspace API key with a name and scope set.
  • Show the full secret once after creation.
  • Store only the key prefix and hash.
  • List existing keys by name, prefix, status, timestamps, and scopes.
  • Revoke active keys after explicit confirmation.
  • Record create and revoke actions in audit logs and usage metering.

Members and readonly users cannot create or revoke workspace API keys. Credential actions are checked against the target workspace membership, not just the broader Slab5 team tenant or WorkOS organization.

Token environment

Use environment variables for local API clients and scripts. Do not commit real workspace tokens.

.env.localbash
SLAB5_API_BASE_URL=https://api.slab5.com/v1
SLAB5_WORKSPACE_TOKEN=slab5_workspace_token_with_api_scopes

Authenticated request

Workspace requestbash
curl "$SLAB5_API_BASE_URL/workspace" \
  -H "Authorization: Bearer $SLAB5_WORKSPACE_TOKEN"

Expected success envelope:

{
  "data": {
    "id": "wrk_123",
    "name": "Personal Workspace",
    "enabled_modules": ["activity_log", "analytics_governance", "assets", "cms", "crm", "tasks"]
  },
  "request_id": "req_123"
}

Authentication errors

Missing or invalid tokens return unauthorized:

{
  "error": {
    "code": "unauthorized",
    "message": "A valid bearer token is required.",
    "request_id": "req_unauthorized_123",
    "docs_url": "https://docs.slab5.com/api/errors#unauthorized"
  }
}

Tokens without the required scope return missing_required_scope:

{
  "error": {
    "code": "missing_required_scope",
    "message": "The token does not include the scope required for this operation.",
    "required_scope": "crm:write",
    "request_id": "req_scope_123",
    "docs_url": "https://docs.slab5.com/api/errors#missing_required_scope"
  }
}

Use the request_id to find the matching API request event, audit event, and support log entry.

For key creation, rotation, storage, and revocation guidance, see Credential lifecycle.

Was this page helpful?