Expanse API
Sign up
Guides

Authentication

Dashboard HTTP APIs use dual authentication so browser apps and automation can share the same routes safely.

Dual auth

  • Clerk session — normal browser cookies when you are signed in to the panel. Full UI access; API key scope rules do not apply.
  • API key Authorization: Bearer sk_… keys created under Settings → API keys. Keys are Clerk-only; they are not created through this HTTP API surface.

Permissions / scopes

Keys may carry an optional list of scopes. An empty permission list means full access (legacy behavior). When scopes are set, each route checks required read/write scopes by HTTP method and path prefix (services, zones, domains, billing, tickets, teams including backup subpaths).

Missing scope: 403 with { "error": "Insufficient API key permissions" }.

API reference → Permission scopes

Expiry & revocation

  • Expired key: 401 with { "error": "API key expired" }.
  • Invalid / revoked key: 401 with a generic message — do not rely on exact wording for automation.

IP whitelist

If a key has a non-empty ipWhitelist, the request client IP must match an entry. Otherwise the key is rejected with 401 (generic or IP-specific message per server implementation).

Rate limits

API key traffic on dual-auth routes is rate-limited per key id (see RATE_LIMITS.dashboardApiKey in the panel source). Clerk session traffic follows separate dashboard limits.