Authentication

Secure every request with organization-scoped API keys.

Bearer tokens

Include your secret key in the `Authorization` header. Keys are prefixed by environment: - `pk_sandbox_` — sandbox (test data, no OTA impact) - `pk_live_` — production

Example request

curl https://api.paddie.channel/v1/properties \
  -H "Authorization: Bearer pk_sandbox_abc123" \
  -H "Content-Type: application/json"

Organization scope

Each key is scoped to one organization. Cross-tenant access is rejected with `403`. Rotate keys from the partner portal without downtime using overlapping validity windows.

Security checklist

- Never expose secret keys in client-side code or mobile apps - Store keys in a secrets manager (Vault, AWS Secrets Manager, etc.) - Use separate keys per environment and per integration surface