Authentication model
- Each key belongs to exactly one user.
- The API key identifies the user and authorizes access to their data.
- Keys should be treated like secrets and stored only in trusted backend systems.
Request headers
Send the key using the standard authorization header:
Authorization: Bearer altar_api_your_personal_keyBest practices
- Name each key after the tool or integration that will use it.
- Create separate keys per integration so revocation is targeted.
- Never embed personal API keys in browser code.
- Revoke unused keys from the ALTAR app settings.