Introduction
Authentication
How to generate and use your SkyLight Chat API key.
Overview
The SkyLight Chat API uses Bearer token authentication. Every request must include your API key either in the Authorization header or the X-Api-Key header.
Your API key grants full access to your account. Keep it secret — never expose it in client-side JavaScript or public repositories.
Generating your API key
- Log in to your SkyLight Chat Dashboard
- Navigate to Settings → API
- Click Generate API Key
- Copy your key — it will only be shown once
Your API key looks like:
sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Sending authenticated requests
Authorization header (recommended)
curl https://dashboard.skylightchat.com/api/v1/contacts \
-H "Authorization: Bearer sk_live_••••••••••••"
X-Api-Key header (alternative)
curl https://dashboard.skylightchat.com/api/v1/contacts \
-H "X-Api-Key: sk_live_••••••••••••"
Both methods are equivalent. The Authorization: Bearer approach is preferred as it aligns with OAuth 2.0 conventions.
Domain whitelisting
For additional security, you can restrict which domains are allowed to call your API. Configure allowed origins in Settings → API → Allowed Domains.
When a domain whitelist is configured:
- Requests from unlisted origins receive a
403 Forbiddenresponse - Setting
*or leaving it empty allows all origins - This is checked against the
OriginandRefererrequest headers
{
"success": false,
"message": "Request origin is not allowed."
}
Regenerating your key
If your key is compromised, go to Settings → API and click Regenerate Key. The old key is immediately invalidated.
Regenerating your key will break all existing integrations using the old key. Update your systems before regenerating in production.
Authentication errors
| Code | Meaning |
|---|---|
401 | Missing or invalid API key |
403 | Key is valid but the account is inactive, or the request origin is not whitelisted |
Example 401 response:
{
"success": false,
"message": "Unauthenticated. Please provide a valid API key."
}