Authentication

API keys, Bearer tokens and scopes

All API requests require an Authorization header with a Bearer token (API key). Each account can generate multiple named keys, see when they were last used, and revoke them at any time.

Header format

http

Authorization: Bearer cbct_live_a3f9b1c2d4e5f6g7h8i9j0k1l2m3n4o5

How to create an API key

Sign up at cbcthub.com/signup (Free plan available).
In the dashboard, open Settings → API.
Give it a descriptive name (e.g. “Internal clinic system”) and click Create key.
The key is shown ONLY ONCE. Copy it and store it in your secret manager (environment variables, AWS Secrets Manager, Vault, Doppler).

If you lose a key, we cannot recover it. Revoke and create a new one.

Permissions by scope

Each key has scopes that determine what it can do. Today keys are created with both scopes enabled:

exams:read — list and read exams
exams:write — create, confirm and delete exams

Revoking keys

From Settings → API you can revoke any key. Revocation is immediate: subsequent calls return 401. Revoked keys stay listed for audit purposes but cannot be reactivated.

What happens with an invalid key

If the key is missing, malformed, invalid or revoked, you get a 401 unauthorized:

json

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or revoked API key."
  }
}

← Previous

Introduction

Upload flow