Skip to main content
Beta functionality: reach out to support to express interest in our API and MCP servers. Beta users can also browse the API Reference.
API keys let trusted scripts, terminals, and integrations call the Surfacd API for a specific team. Create each key from the team that owns the data you want to access.

Create a key

  1. Open the team you want the key to access.
  2. Go to Team Settings > API Keys.
  3. Enter a name for the key, something that reminds you where you’ll use it, like Local script or Vercel integration.
  4. Click Create Key.
A dialog will appear showing the key once. Copy it now and store it somewhere safe. For your security, we can’t show it to you again. If you lose a key, revoke it and create a new one.

Use a key

Send the key as a Bearer token in the Authorization header, and call the API on app.surfacd.com or the team’s own URL.
curl 'https://app.surfacd.com/api/v1/team' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -H 'Accept: application/json'
A few things to know:
  • Keys belong to teams. Create a separate key for each team or integration that needs API access.
  • The key selects the team. Team-level endpoints do not need a team UUID. Project-scoped endpoints use project UUIDs from the same team.
  • Treat keys as team-level access. Store them only in trusted systems and revoke keys that are no longer needed.

Revoke a key

You can revoke any key from Team Settings > API Keys. Click Revoke next to the key. Calls using that key stop working immediately. If a key may have been exposed (committed to a repo, pasted in a chat, etc.), revoke it straight away and create a new one.

Security tips

  • Treat keys like passwords. Don’t share them, paste them in chats, or commit them to source control.
  • Use a separate, named key per integration so you can revoke just that one if something goes wrong.
  • Prefer environment variables or a secret manager over hardcoding keys.
  • Rotate keys periodically: revoke old ones and create a fresh one.