Authentication
The REST API uses the same API keys as AI / Agent access. Mint a key, then send it as a bearer token.
Get a key
Section titled “Get a key”Create an API key in Settings → LLM / API Access in the Assemblified admin — the same API keys for REST and your own agent card that serves desktop and CLI AI assistants. The full walkthrough (labels, the one-time reveal, revoking) lives in the Agent-access docs:
Scopes
Section titled “Scopes”Pick the key’s scope when you create it:
| Scope | What it allows over REST |
|---|---|
| Read only | All GET endpoints — list, get, inventory levels. |
| Read & write | Everything a read key can, plus the PATCH endpoints (virtual materials only). |
A PATCH with a read-only key returns 403 FORBIDDEN_SCOPE. A key keeps the scope it was created with; to change it, revoke the key and mint a new one.
Send the token
Section titled “Send the token”Put the key in the Authorization header:
curl -s -H "Authorization: Bearer asmk_xxxxxxxx" \ "https://assemblified.com/api/v1/raw-materials"- A missing or invalid token returns
401immediately — before any data is touched. - A revoked key returns
401. Revoke in Settings → LLM / API Access at any time. - The key identifies your shop on its own; there is no shop id in the URL.
Managing access
Section titled “Managing access”Each request is recorded in the audit log (tagged rest:), so you can see which key made which call. Manage and revoke keys from Settings → LLM / API Access.