API Authentication

Every request to the Sellm API must include a valid project-scoped API key. Keys are created through the dashboard and are tied to a single project.

Sending your key

Include your API key in the Authorization header using the Bearer scheme:

Authorization: Bearer sellm_your_api_key_here

This header must be present on every request. Requests without a valid key receive a 401 Unauthorized response.

Key format

• Keys always start with the sellm_ prefix.
• The remainder is a cryptographically generated token.
• There are no separate sandbox or test keys. All keys authenticate against the production API.

Security best practices

• Never embed API keys in client-side code, mobile apps, or public repositories.
• Rotate keys periodically. You can create a new key and revoke the old one from the dashboard at any time.
• Use one key per integration for easy revocation without affecting other systems.
• Monitor key usage and revoke immediately if a key is suspected to be compromised.

Verifying your key

The simplest way to confirm that a key is valid is to call GET /project. A 200 response with your project details means the key is active and correctly configured.

Common authentication errors

• 401 UNAUTHORIZED - The key is missing, malformed, or has been revoked.
• 403 FORBIDDEN - The key is valid but the action is blocked by plan constraints.