Getting started

Authentication

Authentication

How API keys work and how to authenticate requests.

Underlayer uses API keys for authentication. Keys are workspace-scoped: each key grants full access to a single workspace and all resources within it.

Creating a key

Open your workspace, go to Settings → API Keys, and click New API key. Give it a descriptive name (e.g. production-backend or ci-pipeline) so you can identify it later.

The full key value is only shown once at creation time. Copy it immediately and store it securely (e.g. in your secrets manager). After leaving the page you can only see the last 4 characters.

Using the key

Include your API key in the X-Api-Key header on every request.

X-Api-Key: ul_live_xxxxxxxxxxxxxxxxxxxx

Revoking a key

Go to Settings → API Keys, find the key, and click Revoke. Revocation is instant: any requests using that key will immediately receive a 401 Unauthorized response.

Multiple keys

You can create as many keys as needed. A common pattern is one key per service or environment (e.g. one for your production backend, one for CI, one for local testing). This way you can revoke a single key without affecting other integrations.

Key format

All API keys start with ul_live_ followed by a random token. Keys remain valid until explicitly revoked.