Authentication
Bearer-token auth with API keys you mint from the dashboard.
The Domainee REST API uses Bearer-token authentication with API keys you mint from the Developers page.
API key format
sk_live_<48 random base64url chars>Total length: 56 characters. The sk_live_ prefix is constant; the rest is
cryptographically random.
Sending the key
Every request to https://api.domainee.dev/v1/* must include:
Authorization: Bearer sk_live_...Example:
curl https://api.domainee.dev/v1/domains \
-H "Authorization: Bearer $DOMAINEE_API_KEY"The header name and Bearer scheme are case-insensitive (authorization: bearer
works too), per RFC 7235.
Workspace scoping
Every API key belongs to exactly one workspace — the workspace it was created in. All resources you create with that key (domains, webhook endpoints) belong to the same workspace and are billed against its subscription.
If you have multiple workspaces, each one needs its own key.
Managing keys
In the dashboard at /developers:
- New key — generates a fresh key. Plaintext is shown ONCE in a modal — copy it before closing.
- Revoke — invalidates the key immediately. Any in-flight requests with the revoked key get 401.
We never store the plaintext server-side; only a SHA-256 hash and the first
16 characters (the sk_live_xxxx… prefix) for display in the dashboard.
Storing keys safely
- Treat keys as production credentials. Keep them in your secret manager (Doppler, AWS Secrets Manager, Railway env vars, etc.).
- Don't commit them to git or include them in client-side code. They're server-side only — anyone with a key can manage all domains in your workspace.
- Rotate on compromise. Revoke + mint a new key whenever you suspect leakage.
- Use one key per environment. Production app uses one key, staging uses another. If staging leaks, only staging is exposed.
Test credentials
Domainee currently runs in live mode only. Use a workspace dedicated to testing if you need a sandbox.
Errors
| Status | When it fires |
|---|---|
401 unauthorized | Missing Authorization header |
401 unauthorized | API key not found, malformed, or revoked |
429 rate_limited | Exceeded 60 req/min per key (configurable on request) |
A revoked key returns 401 with {"error":"unauthorized","message":"Invalid API key"}.