All API requests require an API key. You can create and manage keys from the Scrip dashboard.
Using Your API Key
API keys use the sk_ prefix. Pass your key in the Authorization header:
curl https://api.scrip.dev/v1/programs \
-H "Authorization: Bearer sk_your_api_key"
You can also use the X-API-Key header:
curl https://api.scrip.dev/v1/programs \
-H "X-API-Key: sk_your_api_key"
Each API key has full read and write access to all resources in your organization. There are no scoped or read-only keys at this time.
Keep your API keys secret. Do not expose them in client-side code or commit them to version control.
Rate Limits
Requests are rate-limited per organization:
| Limit | Value | Meaning |
|---|
| Sustained rate | 10 requests/second | Steady throughput the API allows continuously |
| Burst | 30 requests | Maximum requests allowed in a short spike before throttling |
All API keys within the same organization share the same rate limit. When exceeded, the API returns 429 Too Many Requests with a Retry-After header.
Every response includes rate limit headers:
| Header | Description |
|---|
X-RateLimit-Limit | Maximum burst capacity |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp (seconds) when the bucket is fully replenished |
Retry-After | Seconds to wait before retrying (only present on 429 responses) |
For higher throughput, contact us about enterprise rate limits.
Errors
| Status | Code | Meaning |
|---|
401 | unauthorized | API key is missing, invalid, or has been revoked. Check that your Authorization header is set correctly. |
403 | forbidden | The API key is valid but does not have access to this resource. |
429 | too_many_requests | Rate limit exceeded |
Error responses follow a standard shape:
{
"code": "unauthorized",
"message": "invalid or revoked API key"
}