Authentication & API keys

Every request authenticates with a secret API key in the Authorization header:

curl https://api.briefqr.com/v1/operators 
  -H "Authorization: Bearer bqr_live_..."

There are no session cookies and no OAuth. The key is the credential — keep it server-side.

Key prefixes select the mode

PrefixModeOperates on
bqr_live_…LiveReal operators, devices, sessions — billed
bqr_test_…TestAn isolated sandbox — never billed

The prefix is authoritative: a live key can only see live data and a test key can only see test data. See test vs live mode.

Scopes

ScopeCan do
read_onlyGET requests only
fullReads and writes (create/update/delete), plus key + webhook management

A write with a read_only key returns 403 insufficient_scope (code: read_only_key).

Minting & revoking keys

Mint keys in the dashboard (Developers → API keys) or via the API with a full key:

curl -X POST https://api.briefqr.com/v1/api-keys 
  -H "Authorization: Bearer bqr_live_..." 
  -H "Content-Type: application/json" 
  -d '{ "name": "CI pipeline", "scope": "read_only", "mode": "live" }'

The response includes the plaintext key once — store it immediately. Afterwards only the last4 is retained; there is no way to reveal it again. Rotate a key by minting a new one and revoking the old:

curl -X DELETE https://api.briefqr.com/v1/api-keys/{id} 
  -H "Authorization: Bearer bqr_live_..."

Revocation is immediate — the next request with that key returns 401.

Failure modes

SituationStatuserror.code
No Authorization header401
Unknown / revoked key401
Expired key401expired_key
Write with a read-only key403read_only_key

Errors follow the standard envelope.