Beta functionality: reach out to support to express interest in our API and MCP servers. Beta users can also browse the API Reference.
Create a key
- Open the team you want the key to access.
- Go to Team Settings > API Keys.
- Enter a name for the key, something that reminds you where you’ll use it, like Local script or Vercel integration.
- Click Create Key.
Use a key
Send the key as aBearer token in the Authorization header, and call the API on app.surfacd.com or the team’s own URL.
- Keys belong to teams. Create a separate key for each team or integration that needs API access.
- The key selects the team. Team-level endpoints do not need a team UUID. Project-scoped endpoints use project UUIDs from the same team.
- Treat keys as team-level access. Store them only in trusted systems and revoke keys that are no longer needed.
Revoke a key
You can revoke any key from Team Settings > API Keys. Click Revoke next to the key. Calls using that key stop working immediately. If a key may have been exposed (committed to a repo, pasted in a chat, etc.), revoke it straight away and create a new one.Security tips
- Treat keys like passwords. Don’t share them, paste them in chats, or commit them to source control.
- Use a separate, named key per integration so you can revoke just that one if something goes wrong.
- Prefer environment variables or a secret manager over hardcoding keys.
- Rotate keys periodically: revoke old ones and create a fresh one.