Getting started
Authentication
Authentication
How API keys work and how to authenticate requests.
Underlayer uses API keys for authentication. Keys are workspace-scoped: each key grants full access to a single workspace and all resources within it.
Creating a key
Open your workspace, go to Settings → API Keys, and click New API key. Give it a descriptive name (e.g. production-backend or ci-pipeline) so you can identify it later.
Using the key
Include your API key in the X-Api-Key header on every request.
X-Api-Key: ul_live_xxxxxxxxxxxxxxxxxxxx
Revoking a key
Go to Settings → API Keys, find the key, and click Revoke. Revocation is instant: any requests using that key will immediately receive a 401 Unauthorized response.
Multiple keys
You can create as many keys as needed. A common pattern is one key per service or environment (e.g. one for your production backend, one for CI, one for local testing). This way you can revoke a single key without affecting other integrations.
Key format
All API keys start with ul_live_ followed by a random token. Keys remain valid until explicitly revoked.
