Skip to content

Authentication

pokkit uses per-client bearer tokens for authentication.

How it works

Every request must include an Authorization header with a bearer token:

1
Authorization: Bearer pk_live_abc123...

Tokens are tied to a named client identity. The orchestrator validates the token on every request and logs the client name alongside each call for observability.

Getting a token

Tokens are issued manually for now. Contact Jim with your use case and you'll receive a token string.

Keep your token secret

Treat your API key like a password. Do not commit it to source control or expose it in client-side code.

401 response

If the token is missing, malformed, or unrecognized, the API returns:

1
2
3
4
5
6
HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "error": "Unauthorized"
}

Common causes:

  • Missing Authorization header
  • Token not prefixed with Bearer (note the space)
  • Token has been revoked or was never issued