API Authentication

The Smidge API supports two authentication methods depending on the context: session cookies for web app usage, and Bearer tokens for CLI and programmatic access.

Session Cookies (Web App)

When using the Smidge web app, authentication is handled automatically via Supabase session cookies. After logging in through the web interface, your browser stores a secure, HTTP-only session cookie that is sent with every API request.

You don't need to manage session cookies manually — the web app handles token refresh and session management automatically.

Bearer Token (CLI / API)

For CLI and programmatic access, use a Bearer token in the Authorization header:

Requestbash

curl -X GET https://smdg.app/api/skills \
  -H "Authorization: Bearer smdg_sk_your_api_key_here"

Token Format

API keys use the prefix smdg_sk_ followed by a random string. Example:

API key format

smdg_sk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Finding Your API Key

●Log in to smdg.app
●Navigate to your Account page
●Scroll to the API Key section
●Click "Show" to reveal your key, or "Copy" to copy it to clipboard

Regenerating Your API Key

If your API key is compromised, regenerate it from the Account page. Click “Regenerate” to create a new key. The old key is immediately invalidated — any CLI sessions or integrations using it will need to be updated.

Warning

Regenerating your API key invalidates the previous key immediately. Update all CI/CD pipelines and scripts before regenerating.

Authentication Errors

Status	Code	Description
401	`unauthorized`	No authentication token provided, or the token is invalid.
403	`forbidden`	The token is valid but does not have permission for this operation.

401 Responsejson

{
  "error": "unauthorized",
  "message": "Missing or invalid authentication token."
}

Previous← Examples NextAPI Endpoints →