Authorization

All requests to the Publisher API must be authenticated using an API key passed as a Bearer token. Include your key in the Authorization header of every request:

Authorization: Bearer <your-api-key>

Obtaining an API Key

API keys are managed through the K42 Dashboard. Navigate to Settings > API Keys to create or revoke keys. Keys are scoped to an organisation and grant access to all memberbases and resources within that organisation.

Key Management

API keys do not expire by default, but they can be revoked at any time from the dashboard. When a key is revoked, all subsequent requests using that key will receive a 401 Unauthorized response. It is recommended to rotate keys periodically and to use separate keys for different environments (development, staging, production). There is no OAuth flow or token refresh mechanism — API keys are long-lived and remain valid until explicitly revoked. If a key is compromised, revoke it immediately from the dashboard and issue a new one.

Authentication Errors

If your request is missing or has an invalid API key, the API returns a 401 Unauthorized response:

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key"
  }
}

Rate Limiting

Rate limiting is applied per key. If you have multiple services integrating with Publisher, consider issuing separate keys to each service to isolate their rate limit budgets and simplify access auditing. If you exceed the limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating when you can retry.

​Authorization

​Obtaining an API Key

​Key Management

​Authentication Errors

​Rate Limiting

Authorization

Obtaining an API Key

Key Management

Authentication Errors

Rate Limiting