Authentication
Supp uses two key types plus session auth. Choose the right one for your use case.
Key Types
| Type | Prefix | Access | Use Case |
|---|---|---|---|
| Publishable | pk_live_ | Widget endpoints only | Client-side widget embed. Domain-locked, spend-capped. Safe to expose in HTML. |
| Secret | sk_live_ | Full API access (scoped) | Server-side, MCP, dashboard APIs. Never expose in client code. |
Widget & Public Endpoints
Publishable KeyPass your publishable key in the request body as api_key. Keys start with pk_live_.
json
{ "api_key": "pk_live_..." }Server & MCP Endpoints
Secret KeyUse a secret key via the X-API-Key header. Keys start with sk_live_.
bash
X-API-Key: sk_live_...Dashboard Endpoints
SessionLog in at /login to get an authenticated session. Session cookies are refreshed automatically.
Rate Limits
All endpoints are rate-limited per account. If you exceed the limit, you'll receive a 429 response. Wait and retry with exponential backoff.