API keys are used to authenticate requests to the Stigg REST API. Each environment has its own isolated set of keys.
Key types
The REST API accepts any server key — either the default full access key or a user-created scoped key (Scale plan):
| Key type | Prefix | Access |
|---|
| Full access key | server- | Unrestricted |
| Scoped key | server- | Restricted to configured resources and permissions |
Server keys must never be exposed in client-side code, public repositories, or frontend bundles. Use environment variables to store them securely.
Finding your API keys
- Log in to the Stigg Console
- Navigate to Integrations > API keys
Using API keys
Include your key in the X-API-KEY header with every request:
curl -X GET "https://api.stigg.io/api/v1/customers" \
-H "X-API-KEY: your-server-api-key" \
-H "Content-Type: application/json"
REST SDK
import Stigg from '@stigg/rest-client';
const stigg = new Stigg({
apiKey: process.env.STIGG_SERVER_API_KEY,
});
Authentication errors
If the key is missing, invalid, or expired, the API returns 401 Unauthorized:
{
"error": {
"code": "UNAUTHENTICATED",
"message": "Invalid or missing API key"
}
}
403 Forbidden.
Key rotation and management
For key rotation, revocation, creating scoped keys, and access control, see the full API key management guide:
