Skip to content

Authentication

The REST API uses the same API keys as AI / Agent access. Mint a key, then send it as a bearer token.

Create an API key in Settings → LLM / API Access in the Assemblified admin — the same API keys for REST and your own agent card that serves desktop and CLI AI assistants. The full walkthrough (labels, the one-time reveal, revoking) lives in the Agent-access docs:

Pick the key’s scope when you create it:

ScopeWhat it allows over REST
Read onlyAll GET endpoints — list, get, inventory levels.
Read & writeEverything a read key can, plus the PATCH endpoints (virtual materials only).

A PATCH with a read-only key returns 403 FORBIDDEN_SCOPE. A key keeps the scope it was created with; to change it, revoke the key and mint a new one.

Put the key in the Authorization header:

Terminal window
curl -s -H "Authorization: Bearer asmk_xxxxxxxx" \
"https://assemblified.com/api/v1/raw-materials"
  • A missing or invalid token returns 401 immediately — before any data is touched.
  • A revoked key returns 401. Revoke in Settings → LLM / API Access at any time.
  • The key identifies your shop on its own; there is no shop id in the URL.

Each request is recorded in the audit log (tagged rest:), so you can see which key made which call. Manage and revoke keys from Settings → LLM / API Access.