Authentication
All API requests must include an API key in the Authorization header as a Bearer token.
Authorization: Bearer bp_sk_live_YOUR_KEYAPI Keys
Section titled “API Keys”API keys are created in the Bindery Press dashboard under Settings > API Keys. Each key belongs to a team and has a mode.
Key Prefixes
Section titled “Key Prefixes”| Prefix | Mode | Description |
|---|---|---|
bp_sk_live_ | Live | Production renders. Counts against your monthly quota. |
bp_sk_test_ | Test | Test renders. Watermarked output. Does not count against quota. |
Key Management
Section titled “Key Management”You can create multiple keys per team. Each key has a name for identification. Keys can be revoked at any time from the dashboard — revocation is immediate and the key will stop working on the next request.
Authentication Flow
Section titled “Authentication Flow”When a request arrives with an API key:
- The key is hashed (SHA-256) and looked up in the key store.
- The key’s team, mode, and metadata are resolved.
- Rate limits and quotas are checked against the team’s plan.
- The request proceeds to the endpoint handler.
If the key is invalid or missing, the API returns 401 AUTH_REQUIRED.
Rate Limit Headers
Section titled “Rate Limit Headers”Every response from rate-limited endpoints includes these headers:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed in the current window. |
X-RateLimit-Remaining | Requests remaining in the current window. |
X-RateLimit-Reset | Unix timestamp when the window resets. |
When the rate limit is exceeded, the API returns 429 RATE_LIMITED with a Retry-After header.
Session Authentication
Section titled “Session Authentication”The Bindery Press dashboard uses session-based authentication via BetterAuth. Session tokens are used internally for dashboard operations (template editing, thumbnail generation, etc.) and are not intended for external API usage.