Authentication: API Keys, Scopes, and Error Handling

Every request to the 8bitedge API must be authenticated with a bearer API key. Keys take the form bit_<prefix>.<secret> and are issued per organization. The full plaintext token is displayed exactly once at provisioning time — store it somewhere safe, because it cannot be retrieved again. Treat your API key like a password: if it is exposed, contact the 8bitedge team immediately to have it revoked.

Your API key

API keys follow a two-part format separated by a dot:

bit_ab12cd34ef56.<secret>

The portion before the dot (bit_ab12cd34ef56) is a public prefix used to identify the key in logs and the /me response — you’ll recognize it as the last_four field. The portion after the dot is the secret. Once issued, the full secret value cannot be retrieved — if you lose it, you will need to request a new key.

Never expose your API key in client-side code, browser requests, or public repositories. Anyone who holds your key can make authenticated requests against your quota and plan limits.

Each key is scoped to an organization and may have an expiry or be revoked at any time. Keys also carry a name to help you distinguish between multiple keys issued to the same organization (e.g. server, analytics, staging).

Passing your key

Send your API key on every request in the Authorization header as a bearer token:

Authorization: Bearer bit_ab12cd34ef56.<secret>

Here is a complete example hitting the /api/v1/me endpoint:

curl -s https://api.8bitedge.com/api/v1/me \
  -H "Authorization: Bearer bit_ab12cd34ef56.<secret>" | jq

The API always expects JSON responses. The server enforces Accept: application/json automatically, but you may include the header explicitly for clarity:

curl -s https://api.8bitedge.com/api/v1/me \
  -H "Authorization: Bearer bit_ab12cd34ef56.<secret>" \
  -H "Accept: application/json" | jq

For convenience in the examples throughout this documentation, export your key to a shell variable: export BITEDGE_API_KEY="bit_ab12cd34ef56.<secret>". Then reference it as -H "Authorization: Bearer $BITEDGE_API_KEY" in every curl call.

Scopes

Each API key carries one or more scopes that limit which endpoints it can access. Scopes are granted at provisioning time and are visible in the api_key.scopes array returned by GET /api/v1/me.

Scope	Grants access to
`games.read`	All `/api/v1/games/*` endpoints
`consoles.read`	All `/api/v1/consoles*` endpoints
`demand-intent.read`	All `/api/v1/demand-intent/*` endpoints
`intelligence.read`	`/api/v1/intelligence` batch
`signals.read`	`/api/v1/signals` batch
`enrichment.read`	`/api/v1/enrichment` batch

The GET /api/v1/me endpoint requires a valid, active key but no specific scope. Use it to verify your key is working and to inspect which scopes you have been granted.

Calling an endpoint without the required scope returns 403 insufficient_scope — see the error reference below.

Auth error codes

The 8bitedge API returns structured JSON error envelopes for all authentication and authorization failures. Every error body follows the same shape:

{
  "error": {
    "code": "string_code",
    "message": "Human-readable message.",
    "details": {}
  }
}

Here is a reference for every auth-related error you may encounter:

Status	`code`	Meaning
401	`unauthorized`	The key is missing, invalid, revoked, or expired
403	`account_inactive`	Your organization or API client has been suspended
403	`insufficient_scope`	Your key is missing the required scope for this endpoint

401 — Missing or invalid key If you send a request with no Authorization header, or with a token that doesn’t match any active key:

{
  "error": {
    "code": "unauthorized",
    "message": "Missing API key."
  }
}

The same 401 unauthorized code is returned whether the key has never existed, has been revoked, or has passed its expiry date — the API does not reveal which of these conditions applies. 403 — Account inactive If your organization or the API client associated with your key has been suspended:

{
  "error": {
    "code": "account_inactive",
    "message": "Your organization or API client is not active."
  }
}

Contact the 8bitedge team to resolve an account suspension. 403 — Insufficient scope If your key is valid and active but is missing the scope required by the endpoint you called:

{
  "error": {
    "code": "insufficient_scope",
    "message": "This API key is missing the required scope: games.read.",
    "details": {
      "required_scope": "games.read"
    }
  }
}

The details.required_scope field tells you exactly which scope to request. Check your current scopes with GET /api/v1/me and contact the 8bitedge team to have additional scopes added to your key.

Key rotation

If you suspect your API key has been compromised, contact the 8bitedge team to revoke it. Revocation is immediate — after revocation, every request that uses the old key returns 401 unauthorized, regardless of which endpoint is called. After revocation you will be issued a new key. Update any applications, environment variables, or secrets manager entries that reference the old key before redeploying.

There is no self-service key revocation portal. Contact the 8bitedge team directly to revoke a compromised key as quickly as possible.

​Your API key

​Passing your key

​Scopes

​Auth error codes

​Key rotation

Your API key

Passing your key

Scopes

Auth error codes

Key rotation