Owlat Docs

Authentication

Secure API access with workspace-scoped API keys.

Secure API access with workspace-scoped API keys.

API key format

Owlat validates keys with a live prefix format:

lm_live_...

Sending auth headers

curl "https://<deployment>.convex.site/api/v1/contacts" \
  -H "Authorization: Bearer lm_live_your_key"

Authorization: <api_key> (without Bearer) is also accepted, but Bearer is recommended.

Common auth failures

Missing header (401)

{
  "error": {
    "message": "Missing or invalid Authorization header. Use: Authorization: Bearer <api_key>",
    "code": "unauthorized"
  }
}

Invalid format (401)

{
  "error": {
    "message": "Invalid API key format",
    "code": "unauthorized"
  }
}

Invalid or revoked key (401)

{
  "error": {
    "message": "Invalid API key",
    "code": "unauthorized"
  }
}

Rate limit exceeded (429)

{
  "error": {
    "message": "Rate limit exceeded. Maximum 10 requests per second.",
    "code": "rate_limited"
  }
}

Best practices

  • Keep keys server-side only
  • Rotate and revoke keys on schedule
  • Use separate keys per environment
  • Monitor request patterns and failures
Next TypeScript SDK