DraftFilterDeveloper API

Developer reference

Authentication

The public API accepts customer API keys on every /v1/* route. Use one of these headers:

text
Authorization: Bearer df_live_key_...
X-Api-Key: df_live_key_...

Prefer Authorization: Bearer for new clients. X-Api-Key exists for environments where setting the authorization header is inconvenient.

API keys are scoped. Current public scopes are:

text
score_jobs:create
score_jobs:read
rewrite_jobs:create
rewrite_jobs:read

Missing, malformed, unknown, expired, revoked, or rotated-away keys return 401 invalid_api_key. A valid key without the required scope returns 403 insufficient_scope.

json
{
  "error": {
    "code": "invalid_api_key",
    "message": "The API key is missing or invalid."
  }
}

Dashboard authentication is separate. /dashboard/* routes use Firebase ID tokens for the web app, not customer API keys, and are unsupported internal implementation details for public API clients.