All Campaign Refinery API endpoints use bearer authentication. Send your key in the HTTP Authorization header:

Authorization: Bearer YOUR_API_KEY

You can verify a key works in seconds with the Try It panel below. A valid key returns {"status": true, "message": "OK"}.

Keep your key secret. Do not put API keys in browser JavaScript, mobile apps, public repositories, screenshots, support tickets, or query strings. Store them in a server environment variable or a secrets manager. If you rotate a key, update the service that uses it before revoking the old one.

If a request returns 401, the most common causes are: missing Bearer prefix, a stray space, the wrong account's key, or a revoked key. Your key is managed under your account's API Keys page.