API Key Authentication
Most endpoints use API key authentication via theAuthorization header.
Key Format
| Prefix | Environment |
|---|---|
circ_live_* | Production |
circ_test_* | Testing |
Getting a Key
- Sign up at circular.rosetta.sh
- Navigate to API Keys in your dashboard
- Generate a new key — save it immediately, it is only shown once
No API Key Required
| Endpoint | Auth Method |
|---|---|
GET /health | None |
/client/* | Supabase JWT (see below) |
JWT Authentication (Client Routes)
Client self-service routes (/client/*) use Supabase JWT tokens instead of API keys.
client_id claim identifying your client account.
Error Responses
| Status | Error Code | Meaning |
|---|---|---|
| 401 | MISSING_API_KEY | No Authorization header provided |
| 401 | INVALID_KEY_FORMAT | Key present but does not start with circ_live_ or circ_test_ |
| 401 | INVALID_API_KEY | Key not found or revoked |
| 401 | UNAUTHORIZED | No Bearer token provided on a JWT-authenticated route |
| 401 | INVALID_TOKEN | JWT is invalid or expired |
| 403 | ACCOUNT_SUSPENDED | Account billing is suspended — contact support |
| 403 | FORBIDDEN | JWT lacks required role or claim |
| 403 | ENDPOINT_NOT_INCLUDED | Your tier does not include this endpoint category |