Authentication
All requests to the Corma Public API v1 must be authenticated using an API key. This ensures that only authorized clients can interact with your workspace data and that every API call is attributable and secure.
API Key Structure
Corma uses a header-based API Key authentication scheme:
- Header name:
x-corma-api-key - Value: A colon-separated string containing the API key ID and secret:
x-corma-api-key: API_KEY_ID:API_KEY_SECRET
Example:
| API key ID | API key secret |
|---|---|
xaH5dAMZbvCP6NpiNZZS5z |
d7cd7f3e308601e88477758700c2 |
GET /v1/resource HTTP/1.1
x-corma-api-key: xaH5dAMZbvCP6NpiNZZS5z:d7cd7f3e308601e88477758700c2
Obtaining an API Key
To get an API key:
- As a workspace admin, go to your Corma workspace settings.
- Navigate to the
APIsection. - Copy the key pair consisting of the
IDandsecret.
Warning: Your API keys have admin-level permissions on your workspace data. Treat your key secrets like passwords — never expose it publicly or commit it to version control.
Security Model
- All requests must include a valid
x-corma-api-keyheader. - The API key uniquely identifies the requesting client and workspace context.
- If the key is invalid or revoked, the API will respond with a
401 — Unauthorizederror.
Best Practices
- Rotate API keys regularly.
- Revoke unused keys from the dashboard.
- Store secrets securely using environment variables or secret managers.
For further details, refer to the API reference.