Skip to main content

API access

How the template exposes machine access with personal and workspace API keys.

SectionAPI and integrations / Overview
PurposeAPI user documentation
UpdatedJul 6, 2026
AuthorTemplate Maintainers
Versionv1.2.0
Reading time2 min

API access

The template includes machine access through Better Auth API keys and a starter /api/v1 surface. API clients authenticate with the x-api-key header. Browser session cookies are not accepted for external API routes.

Key families

Key typeManaged fromPrincipalTypical use
Personal API key/user/api-keysThe owning userScripts and integrations that should follow user workspace membership.
Workspace API key/w/:organizationKey/settings/api-keysOne workspace organizationServer integrations owned by a workspace.

Both key families use the same external header and the same response envelope conventions.

Starter API routes

The initial /api/v1 routes expose read-only organization data:

  • GET /api/v1/me
  • GET /api/v1/organizations
  • GET /api/v1/organizations/:organizationId
  • GET /api/v1/organizations/:organizationId/members
  • GET /api/v1/organizations/:organizationId/teams
  • GET /api/v1/organizations/:organizationId/teams/:teamId/members

Safety model

API key permissions, organization scope rules, expiration, and rate limits are checked before route handlers return data. Product endpoints should extend those checks instead of reading raw Better Auth payloads in route code.