Authentication

API key (`X-API-Key`)

Most /v1/* routes expect an API key in the X-API-Key header. Exceptions:

POST /v1/billing/checkout and POST /v1/billing/portal accept either Authorization: Bearer <access_token> or X-API-Key.
GET /v1/usage and GET /v1/analytics/usage also accept either Bearer JWT or X-API-Key, so the dashboard can read usage without exposing the raw key.
/v1/public/visitor-counter routes are public and gated by server config, not by an API key.
POST /v1/billing/webhook is public at the HTTP auth layer but requires a valid webhook signature.

curl https://api.scrift.app/v1/catalog/stripe \
  -H "X-API-Key: YOUR_API_KEY"

How to get a key

Register at scrift.app. Your key is shown once in the dashboard after registration or regeneration. If you lose it, generate a new key from the dashboard.

Rate limits

Daily quotas depend on your plan. See Rate limits for tiers and HTTP 429 behavior.

JWT (account endpoints)

User account routes under /auth/* may require a bearer token where the OpenAPI operation says so, for example:

Authorization: Bearer <access_token>

If you only call catalog/search/SVG/PNG/WebP/brand/subscription APIs from your backend with an API key, you do not need JWT.

Errors

Missing or invalid keys receive 401 with error code invalid_api_key.

{
  "error": "invalid_api_key",
  "message": "API key required. Pass X-API-Key header."
}

API key (X-API-Key)​

How to get a key​

Rate limits​

JWT (account endpoints)​

Errors​

API key (`X-API-Key`)

How to get a key

Rate limits

JWT (account endpoints)

Errors