Every API call carries a bearer key in the Authorization header.
Include an Authorization header with every API request:
Authorization: Bearer crk_...Missing or invalid keys return HTTP 401. The /v1/health and /v1/ready endpoints are public and do not require authentication.
Manage keys via these endpoints:
POST https://api.crawlcrawl.com/v1/keys/rotate – Issues a new key. The old key remains valid for 5 minutes.DELETE https://api.crawlcrawl.com/v1/keys/{prefix} – Revokes a key by its prefix.GET https://api.crawlcrawl.com/v1/keys – Lists all active keys for the project.Keys begin with crk_ followed by 24 random bytes base64url-encoded. Keys are SHA256-hashed at rest. The plaintext is shown once at creation; store it securely.
Every authenticated request is logged with timestamp and key prefix. Retrieve logs with:
GET https://api.crawlcrawl.com/v1/logs