Skip to main content
Every request you make to the Pharen API must be authenticated. The API uses Bearer token authentication — you include a long-lived API key in the Authorization header of each request. Without a valid key, the API returns a 401 Unauthorized response and does not process your request.

Generating an API Key

You manage your API keys from inside the Pharen Hub dashboard:
  1. Sign in to app.pharen.de.
  2. Navigate to Settings → API Keys in the left sidebar.
  3. Click Generate New Key.
  4. Give your key a descriptive name (e.g., ci-pipeline or data-export-script).
  5. Copy the key immediately — it is only shown once in full at creation time.
Treat your API key like a password. Anyone who holds it can make API calls on behalf of your workspace. Do not commit keys to source control, log them, or expose them in client-side code. Use environment variables or a secrets manager instead.

Using Your API Key

Pass your API key as a Bearer token in the Authorization header of every HTTP request: 
Authorization: Bearer YOUR_API_KEY
The examples below show how to do this in the most common languages and tools. 
curl https://api.pharen.de/v1/new-page \
  --request GET \
  --header "Authorization: Bearer YOUR_API_KEY" \
  --header "Content-Type: application/json"
In the examples above, the API key is read from an environment variable (PHAREN_API_KEY). This is the recommended approach — it keeps secrets out of your codebase and makes rotating keys straightforward.

Authentication Errors

If your request cannot be authenticated, the API responds with one of the following errors:
StatusCodeCause
401 Unauthorizedmissing_tokenNo Authorization header was present in the request.
401 Unauthorizedinvalid_tokenThe token provided is malformed, expired, or does not exist.
403 Forbiddeninsufficient_permissionsThe key is valid but lacks permission to access this resource or perform this action.
An error response looks like this: 
{
  "error": {
    "code": "invalid_token",
    "message": "The API key provided is invalid or has been revoked."
  }
}

Revoking a Key

If a key is compromised or no longer needed, revoke it immediately from Settings → API Keys in the dashboard. Revoked keys stop working instantly. You can generate a replacement key at any time without disrupting other keys.
Rotating keys periodically is a good security practice, even if you have no reason to suspect a compromise. Consider setting a reminder to rotate production keys every 90 days.

Key Scopes and Permissions

API keys inherit the permissions of the workspace member who created them. If that member’s role is changed or their account is deactivated, all keys they created will reflect the updated permissions (or stop working, in the case of deactivation). For production integrations, it’s best practice to create keys under a dedicated service account with only the permissions your integration requires.