Authentication & scopes
Every Creator API request must include a Bearer-token header. The token is a Creator API key (prefix cak_) issued from the studio's dashboard.
Header format
Authorization: Bearer cak_OlpKMOXvH9C28WPOyYK7...Missing or invalid → 401 Unauthorized.
Origin not in the key's allowed list → 403 Forbidden.
Rate limit exceeded → 429 Too Many Requests with a Retry-After header in seconds.
Scopes
Each key has an allowlist of scopes. Endpoints reject the request with 403 if the matching scope is missing.
| Scope | Grants |
|---|---|
studio:read | Workspace meta, agent list, capabilities, tenant prompt read/write. |
agents:read | List lims, fetch a single lim's profile. |
agents:chat | Talk to Nexus or any lim. Persistent conversation threads. |
tasks:create | Spawn long-running orchestrated tasks. |
tasks:read | Poll task status + result. |
Allowed origins
If you populate the key's allowedOrigins list (e.g. https://app.travelmate.com), only requests from that origin pass. Leave it empty for server-to-server use where there's no Origin header.
Rate limit
Per-key request-per-minute limit, set when you create the key (default 60). Limit resets every 60s. Use the Retry-After seconds value as a backoff hint when you hit 429.
Revoking a key
Click Revoke next to any key in the dashboard. Future requests with that key fail immediately with 401.