/v1/health and /v1/openapi.json requires authentication. Pass your key in either of two equivalent headers:
Bearer token (preferred)
API key header
x-api-key wins.
Key format
Arcmira keys start with thearc_sk_ prefix and contain 64 hex characters after it. The dashboard only displays the prefix and last 4 characters after creation. The raw secret is shown once, at creation time.
Creating keys
- Go to Dashboard → API Keys.
- Click Create key, give it a descriptive name (e.g.
production-backend), and select scopes. - Copy the revealed secret immediately and store it in your secrets manager.
- Use Disable to temporarily revoke a key without deleting it. Deleting is permanent.
Key secrets are shown once, at creation time. You can edit scopes later, but rotate the key if the secret may have been exposed.
Storage hygiene
- Keys are server-side credentials. Do not ship them to browsers, mobile clients, or any environment you don’t control.
- Rotate keys when team members leave or when one might have been exposed.
- Each key tracks
last_used_atandlast_used_ipso you can spot dormant or suspicious keys. - Calls against disabled, expired, or revoked keys return
401 invalid_api_key. - Mint one key per environment and per process. Don’t reuse production keys in CI. Each key has its own rate-limit bucket, usage trail, and Community Review reputation.
The scopes
Every key carriesread plus any explicit permissions you grant. Endpoints that require a scope you don’t have return 403 insufficient_scope; the message names the missing scope.
| Scope | Tier required | Required for |
|---|---|---|
read | Any | All read endpoints (search, entities, mentions, appearances, alert history). Granted automatically on every key; cannot be removed. |
monitors:write | Any paid | POST / PATCH / DELETE on /v1/monitors*, including monitor tracker mutations. |
trackers:write | Any paid | POST / PATCH / DELETE on /v1/trackers*. |
recommendations:read | Pro+ | GET /v1/recommendations, GET /v1/entities/{id}/recommendations, GET /v1/channels/{id}/sponsors, GET /v1/mentions?details=full, and the recommendations_summary blocks on entity and channel reads. |
Commercial intelligence access is premium because it parses creator ad reads, sponsors, and endorsements at scale. It requires both a Pro+ tier (
pro_plus, ultra, teams, enterprise) and recommendations:read. On lower tiers, commercial routes return 403 recommendations_not_enabled regardless of scope. See Commercial intelligence or check your plan from Pricing.Choosing scopes
- Read-only integrations (analytics, dashboards, BI exports): mint a key with
readonly. That key cannot create or delete anything. - Automation that creates trackers (CRM enrichment, monitor sync, GTM signals): needs
trackers:write, andmonitors:writeif it also manages monitors. - Commercial intelligence integrations (advertiser dashboards, sponsor research, ad-spend modeling): need
recommendations:readon a Pro+ plan. On Pro+ plans the dashboard selects it by default for new keys.
Verifying a key
The fastest sanity check is/v1/me:
Response
recommendations_api_enabledis the tier-level gate:trueonly on Pro+ tiers, independent of scopes. If it’sfalse, commercial routes will 403 even with the scope attached.usageshows the row budget; check it before metered pulls./v1/mecosts 0 rows, though like every authenticated route it returns402 quota_exceededonce your pool is exhausted with on-demand disabled.