Authentication

Acme Platform supports multiple authentication methods depending on your use case. This guide covers API keys for server-to-server communication, OAuth 2.0 for user-facing applications, and session tokens for the web dashboard.

API Keys

API keys are the simplest way to authenticate server-side requests. Each key is scoped to a single project and can be rotated independently.

1. Navigate to Settings > API Keys in the dashboard.
2. Click Create Key and assign a descriptive name.
3. Copy the key immediately — it is only shown once.

Include the key in the Authorization header:

curl -H "Authorization: Bearer acme_sk_live_abc123" \
  https://api.acme-platform.com/v1/projects

Caution

Never expose API keys in client-side code. Use environment variables or a secrets manager to store them.

OAuth 2.0

For applications that act on behalf of users, Acme Platform implements the OAuth 2.0 Authorization Code flow with PKCE. This is the recommended approach for web and mobile applications.

Parameter	Value
Authorization URL	https://auth.acme-platform.com/authorize
Token URL	https://auth.acme-platform.com/token
Scopes	read, write, admin

Token Refresh

Access tokens expire after 1 hour. Use the refresh token to obtain a new access token without requiring user interaction:

curl -X POST https://auth.acme-platform.com/token \
  -d grant_type=refresh_token \
  -d refresh_token=YOUR_REFRESH_TOKEN \
  -d client_id=YOUR_CLIENT_ID

Next Steps

With authentication configured, see the Deployment guide to learn how to ship your application to production.