Authentication
Bearer-token API keys, livemode vs testmode, rotation.
The Dolores REST API authenticates every request with a bearer API key. Keys are project-scoped — one key only grants access to one project's customers, appointments, sessions, events, and webhook endpoints.
Creating keys
Open Settings → API Keys in the admin UI and click + Create key.
Two modes are available:
| Mode | Prefix | Use for |
|---|---|---|
| Live | sk_live_ | Production traffic. Calls real customers, charges your account, fires real appointment webhooks. |
| Test | sk_test_ | Development and CI. Resources tagged livemode: false; webhooks isolated from live deliveries. |
The plaintext key is shown once on creation. Dolores stores only a SHA-256 hash — we cannot recover the plaintext if you lose it. Treat it like a password.
Sending the key
Include the key in the Authorization header on every request:
GET /v1/customers HTTP/1.1
Host: app.meetdolores.ai
Authorization: Bearer sk_live_8fK2xPv...curl https://app.meetdolores.ai/v1/customers \
-H "Authorization: Bearer $DOLORES_API_KEY"Missing or malformed authorization headers return 401 invalid_api_key:
{
"error": {
"type": "authentication_error",
"code": "invalid_api_key",
"message": "Missing API key. Include \"Authorization: Bearer sk_...\" on every request.",
"request_id": "req_01HXY..."
}
}Livemode flag
Every key has a livemode boolean baked in. The flag propagates into:
- Resources you create — every
customer,appointment,session,eventhaslivemode: true|false. - Webhook endpoints — endpoints are tagged at creation and only receive deliveries with matching livemode.
Test-mode resources never count against billing, never dial real phones, and never appear in your live dashboards.
Rotation
Rotate keys regularly and after any suspected leak:
- Settings → API Keys → + Create key with a label like "rotated 2026-06-01".
- Deploy the new key to your backend.
- Verify traffic is flowing on the new key via the
last_used_attimestamp on each row. - Revoke the old key. Requests using it start returning
401immediately.
There's no warm-up period — revocation is instant.
Security best practices
- Never commit keys to source control. Use environment variables or a secret manager.
- Use test keys in CI. They can't dial real phones or charge customers, so leaked test keys have a much smaller blast radius.
- Rotate quarterly, at minimum. Set a calendar reminder.
- One key per service. If you have a backend, a worker, and a CLI tool, each gets its own labelled key. Revoking one service's key shouldn't take the others down.
- Watch
last_used_at. Keys that haven't been used in 90+ days are candidates for revocation.