Before you can mint API keys or create sessions, please review and accept the following:
Bearer tokens · scoped + revocable
API keys
Pass as Authorization: Bearer <key>. Plaintext is
shown ONCE on creation — store it now; we can't recover it later. Revocation is
immediate.
curl https://api.driftstack.dev/v1/account/me \
-H "Authorization: Bearer ds_live_<your-key>"
# TypeScript SDK
npm i @driftstack/sdk
Replace ds_live_<your-key> with the key you copy on
creation — the plaintext is shown once and never stored.
API keys are scrypt-hashed at rest. Driftstack staff cannot read your keys — a database breach surfaces hashes, not keys. If a key leaks, revoke + rotate; no admin recovery path exists.
Scopes: read (list/get-only),
write (create sessions, navigate, interact),
account_owner (manage webhooks, billing, mint other keys).
Always create the narrowest-scoped key the job needs.