API access
How the template exposes machine access with personal and workspace API keys.
API access
The template includes machine access through Better Auth API keys and a starter /api/v1 surface.
API clients authenticate with the x-api-key header. Browser session cookies are not accepted for
external API routes.
Key families
| Key type | Managed from | Principal | Typical use |
|---|---|---|---|
| Personal API key | /user/api-keys | The owning user | Scripts and integrations that should follow user workspace membership. |
| Workspace API key | /w/:organizationKey/settings/api-keys | One workspace organization | Server integrations owned by a workspace. |
Both key families use the same external header and the same response envelope conventions.
Starter API routes
The initial /api/v1 routes expose read-only organization data:
GET /api/v1/meGET /api/v1/organizationsGET /api/v1/organizations/:organizationIdGET /api/v1/organizations/:organizationId/membersGET /api/v1/organizations/:organizationId/teamsGET /api/v1/organizations/:organizationId/teams/:teamId/members
Safety model
API key permissions, organization scope rules, expiration, and rate limits are checked before route handlers return data. Product endpoints should extend those checks instead of reading raw Better Auth payloads in route code.