Authentication
How API tokens are issued, scoped and presented on requests.
Token format
⚠ TODO — Engineering
Document the API token format. Is it a JWT? An opaque string? How is it presented —
Authorization: Bearer ..., a custom header, or a query parameter? Include a worked example with a placeholder value.Issuing tokens
⚠ TODO — Engineering
Where do customers issue API tokens — the Appice panel, an admin API call, both? Document the steps and any required role/permission to do so.
Scopes
⚠ TODO — Engineering
Document the scopes / permissions a token can carry. Include the minimum-privilege scope for common operations (write events, read users, manage webhooks).
Rotation & expiry
⚠ TODO — Engineering
Document token rotation: are tokens long-lived or short-lived? Is there a refresh flow? What's the recommended rotation cadence? What happens when a token expires (HTTP 401 — link to Errors)?
Storing tokens
Never embed an API token in client-side code (mobile binaries, web bundles, public repos). Use the SDKs for client-side capture; reserve the REST API for server-to-server calls.