Skip to content

API Authentication

All Developer API requests require an API key. This page explains how to create, use, and manage API keys.

Creating an API Key

  1. Go to Settings in the sidebar
  2. Find the Developer section
  3. Click Create API Key
  4. Give your key a name (e.g., "Production", "Testing")
  5. Copy the key immediately — it's shown only once

Show-once pattern

The full API key is displayed only at creation time. GloriaMundo stores a hash of the key, not the key itself, so it cannot be retrieved later. If you lose it, revoke it and create a new one.

Key Format

API keys follow this format:

gm_live_<random_characters>

For example: gm_live_a1b2c3d4e5f6g7h8i9j0...

In the Settings UI, keys are displayed by their prefix (first 16 characters) for identification.

Using Your API Key

Include the API key in every request using one of two methods:

curl -H "Authorization: Bearer gm_live_..." \
  https://app.gloriamundo.com/api/v1/workflows/{id}/execute

Option 2: X-API-Key Header

curl -H "X-API-Key: gm_live_..." \
  https://app.gloriamundo.com/api/v1/workflows/{id}/execute

Both methods are equivalent. The Authorization: Bearer approach is the standard convention.

Session authentication required

API key management endpoints (list, create, revoke) require session authentication — you must be signed in to the GloriaMundo web app. Requests that include an Authorization: Bearer or X-API-Key header are rejected with 403 Forbidden. Use your browser session or a session cookie to call these routes.

Listing API Keys

# Requires a browser session — API key headers are rejected.
# To get your session cookie: open browser DevTools →
#   Chrome/Edge: Application → Cookies
#   Firefox: Storage → Cookies
# Copy the "session" cookie value.
curl https://app.gloriamundo.com/api/v1/keys \
  --cookie "session=<your_session_cookie>"

Returns all your keys with their name, prefix, status, creation date, and last used date. The full key value is never returned.

Revoking an API Key

# Requires a browser session — see the Listing API Keys example for how
# to obtain the session cookie value.
curl -X DELETE https://app.gloriamundo.com/api/v1/keys/{key_id} \
  --cookie "session=<your_session_cookie>"

Revoked keys are immediately invalidated. Any requests using a revoked key will receive a 401 Unauthorized response.

Error Responses

Status Code Meaning
401 Unauthorized Missing, invalid, or revoked API key
429 Too Many Requests Rate limit or spend limit exceeded

Security Best Practices

  • Don't commit keys to source control — Use environment variables
  • Use separate keys for different environments — Create distinct keys for production, staging, and development
  • Revoke unused keys — Remove keys you're no longer using
  • Monitor usage — Check the last_used_at field to identify inactive keys

Next Steps