All requests to the Scheduler API must include an API key in the Authorization header. The API uses stateless HMAC-signed keys — no session tokens or cookies are involved.
Keys follow a two-part format:
For example:
Authorization: Bearer arnav.sk_7a9b...2f1c
user_id identifies your account. The signature is an HMAC hash that the API verifies on every request. Both parts are required — passing only a user ID will result in a 401 error.
Passing your key
Include the key in the Authorization header of every request:
Authorization: Bearer YOUR_KEY
curl -X POST https://shift-scheduler-api-3nxm.vercel.app/api/schedule \
-H "Authorization: Bearer YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{ ... }'
Requesting an API key
API keys are issued on request. Email the following address with your name and a brief description of your use case:
[email protected]
You will receive your [user_id].[signature] key by email.
Version 2.0+ uses a stateless HMAC authentication strategy. Legacy API keys from v1.0 (Python) are not compatible and will be rejected with a 401 error. Request a new key if you are migrating from v1.0.
Error responses
| Status | Meaning |
|---|
401 Unauthorized | The HMAC signature is invalid, the key is malformed, or the key has been revoked. |
401, verify that:
- You are passing the full
[user_id].[signature] key, not just one part.
- You have not trimmed or modified the signature.
- Your key has not been revoked (contact [email protected] to reissue).
Rate limiting
Each API key has a daily quota. To check your current usage and remaining quota, call GET /api/usage.
curl https://shift-scheduler-api-3nxm.vercel.app/api/usage \
-H "Authorization: Bearer YOUR_KEY"