Authentication
Overview
The SkyLight Chat API uses API key authentication. Every request must include your API key via the X-Api-Key header or the Authorization: Bearer header.
Generating your API key
- Log in to your SkyLight Chat Dashboard
- Navigate to Settings → API & Integrations
- Click Generate API Key
- Copy your key — it will only be shown once
Your API key is a 44-character string (e.g., B2d4272g08ef1UErWrJinUGyCT6YL72DmPeBC0If).
Sending authenticated requests
X-Api-Key header (recommended)
curl https://dashboard.skylightchat.com/api/v1/contacts \
-H "X-Api-Key: YOUR_API_KEY"
Use X-Api-Key for maximum compatibility. Some proxies or load balancers may strip the Authorization header on non-standard requests.
Authorization header (alternative)
curl https://dashboard.skylightchat.com/api/v1/contacts \
-H "Authorization: Bearer YOUR_API_KEY"
Both methods are equivalent. Prefer X-Api-Key when Authorization: Bearer returns 401 due to infrastructure.
Domain whitelisting
For additional security, you can restrict which domains are allowed to call your API. Configure allowed origins in Settings → API → Allowed Domains.
When a domain whitelist is configured:
- Requests from unlisted origins receive a
403 Forbiddenresponse - Setting
*or leaving it empty allows all origins - This is checked against the
OriginandRefererrequest headers
{
"success": false,
"message": "Request origin is not allowed."
}
Regenerating your key
If your key is compromised, go to Settings → API & Integrations and click Regenerate Key. The old key is immediately invalidated.
Authentication errors
| Code | Meaning |
|---|---|
401 | Missing or invalid API key |
403 | Key is valid but the account is inactive, or the request origin is not whitelisted |
Example 401 response:
{
"success": false,
"message": "Unauthenticated. Please provide a valid API key."
}