All requests require an organization API key, sent as a Bearer token:
Authorization: Bearer boom_org_xxxxxxxxxxxxxxxxxxxx
- The key identifies your organization. You never pass an organization
id — it’s derived from the key, and every request is scoped to it.
- Keys are prefixed
boom_org_ and are shown once at creation. Store
the key securely; Boom only retains a hash.
- Revoking a key in the dashboard immediately rejects further requests
with
401.
Treat API keys like passwords. Never embed them in client-side code,
mobile apps, or public repositories. Use server-to-server calls only.
Errors
A 401 is returned with one of two messages depending on the failure mode:
| Status | error message | When |
|---|
401 | Missing or malformed Authorization header | The header is absent or not in Bearer <key> format |
401 | Invalid or revoked API key | The key failed verification (wrong key, or revoked) |
{ "error": "Invalid or revoked API key" }