Support Station

Authentication

You'll need to authenticate your requests to access any of the endpoints in the Support Station API. In this guide, we'll look at how authentication works using API keys.

API Keys

All API requests require authentication using an API key. Include your API key in the Authorization header as a Bearer token:

Example request with API key

curl https://api.supportstation.io/api/v1/tickets \
  -H "Authorization: Bearer sk_live_your_api_key_here"

Never expose your API keys in client-side code or commit them to version control. Always keep your API keys secure and rotate them if you suspect they have been compromised.

Creating API Keys

API keys are organization-scoped and can be created in your Support Station dashboard under Settings > API Keys.

  1. Navigate to Settings > API Keys
  2. Click "Create API Key"
  3. Give your key a descriptive name
  4. Select the permission scopes you need
  5. Copy the key immediately - it won't be shown again

Scopes

API keys have granular permission scopes that control what resources they can access:

  • Name
    tickets:read
    Description

    List and view tickets in your organization.

  • Name
    tickets:write
    Description

    Create tickets, update ticket properties, and add messages to tickets.

  • Name
    customers:read
    Description

    List and view customer information.

  • Name
    customers:write
    Description

    Create, update, and delete customers.

When creating an API key, only select the scopes your integration actually needs. This follows the principle of least privilege and limits potential damage if a key is compromised.

Key Prefixes

Support Station API keys use prefixes to help you identify them:

  • Name
    sk_live_
    Description

    Production API keys that access live data.

  • Name
    sk_test_
    Description

    Test API keys for development and testing.

Rate Limiting

API requests are rate limited to 100 requests per minute per API key. Rate limit information is included in response headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95

When you exceed the rate limit, you'll receive a 429 Too Many Requests response. Implement exponential backoff in your integration to handle rate limits gracefully.

Security Best Practices

  • Never expose API keys in client-side code - API keys should only be used server-side
  • Use environment variables - Store API keys in environment variables, not in code
  • Rotate keys periodically - Create new keys and revoke old ones regularly
  • Use minimal scopes - Only request the permissions your integration needs
  • Monitor usage - Check your API key usage in the dashboard for unusual activity

Was this page helpful?