Skip to main content
The Anyreach API accepts two kinds of bearer credential. Pass either one in the Authorization header — the platform validates it and resolves your organization and scopes server-side.
CredentialPrefixCreated atOrganization
Organization API keyak_API Keys page (/api-keys)Carries its organization implicitly
Personal access token (PAT)pat_Account → Tokens (/account/tokens)Not org-bound — you must pass the org per request
Use an organization API key for backend integrations that act on one organization. Use a personal access token for tooling that spans several of your organizations.

Create a credential

  1. Open API Keys from the sidebar.
  2. Click New API key and give it a descriptive name.
  3. Copy the full secret (ak_<id>.<secret>) — it is shown only once. Store it in your secret manager.

Use it

Pass the credential as a bearer token:
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer $ANYREACH_TOKEN"
Organization API keys carry their organization, so that is all you need. A personal access token is not bound to an organization — add the X-Anyreach-Org header to tell Anyreach which organization to act on:
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer $ANYREACH_PAT" \
  -H "X-Anyreach-Org: $ANYREACH_ORG_ID"
If you call an org-scoped endpoint with a pat_ token and no X-Anyreach-Org header, the request fails with 401 and the message “Token is missing organization claim.” Retry with the header.

Rotation

Tokens don’t expire unless you set an expiry. Rotate them when:
  • A teammate with access leaves
  • A token may have been exposed in logs or version control
  • Your security policy requires periodic rotation
Delete old credentials from the same page you created them on. Active calls using a deleted credential start failing with 401.

Scope and permissions

A credential can do whatever the issuing user (or organization role) can do, governed by roles and fine-grained scopes. See Roles and permissions for the full model. For automated integrations, issue the credential from a user with the minimum role required.

Public endpoints

Some endpoints accept unauthenticated calls for browser or webhook embedding — for example public workflow execution and the public web-widget endpoints. Never send a pat_ or ak_ credential from a browser.