Authentication
Secure every request with organization-scoped API keys.
Bearer tokens
Include your secret key in the `Authorization` header. Keys are prefixed by environment: - `pk_sandbox_` — sandbox (test data, no OTA impact) - `pk_live_` — production
Example request
curl https://api.paddie.channel/v1/properties \
-H "Authorization: Bearer pk_sandbox_abc123" \
-H "Content-Type: application/json"
Organization scope
Each key is scoped to one organization. Cross-tenant access is rejected with `403`. Rotate keys from the partner portal without downtime using overlapping validity windows.
Security checklist
- Never expose secret keys in client-side code or mobile apps - Store keys in a secrets manager (Vault, AWS Secrets Manager, etc.) - Use separate keys per environment and per integration surface