API key format
bk_test_— sandbox key, read-only access to a demo enginebk_live_— production key, full access to your engines
https://api.barker.money. The server reads the key prefix to scope permissions and rate limit — there is no separate sandbox host.
Header
Every request must include:401 Unauthorized.
Rotation & revocation
In Portal → API Keys you can:- Create a new key (returned once in plaintext, then only the prefix is visible)
- Revoke any key (immediate, no grace period)
- View
last_used_atandlast_used_ipfor each key
Storage on our side
Your plaintext key is never stored. We store:key_hash: bcrypt hash of the full keykey_prefix: first 12 chars for UI/audit (e.g.bk_live_a3F2)