Skip to main content
Every request to the RCB Automation API must include a valid API key. The API uses Bearer token authentication — you generate a key in your account settings and pass it in the Authorization header on each request. Keys are long-lived but can be rotated or revoked at any time.

Generate an API key

1

Open Account Settings

In the RCB Automation dashboard, click your avatar in the top-right corner and select Account Settings.
2

Navigate to API Keys

Select the API Keys tab in the left navigation panel.
3

Create a new key

Click New API Key, give it a descriptive label (for example, “Production server” or “CI pipeline”), and select the permission scope. Click Generate.
4

Copy the key

Copy the key immediately. For security, the full key is only shown once. If you lose it, you must revoke it and create a new one.

Pass the API key

Include the key in the Authorization header as a Bearer token on every request: 
Authorization: Bearer YOUR_API_KEY

curl --request GET \
  --url https://api.rcbautomation.com/v1/workflows \
  --header 'Authorization: Bearer rcb_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6' \
  --header 'Content-Type: application/json'
A successful response returns a 200 OK status with the requested data: 
{
  "data": [
    {
      "id": "wf_9kLmNpQrStUv",
      "name": "Weekly sales report",
      "status": "active",
      "created_at": "2026-02-14T09:00:00Z",
      "updated_at": "2026-03-01T14:22:11Z",
      "run_count": 47
    }
  ],
  "meta": {
    "total": 1,
    "page": 1,
    "per_page": 20
  }
}

API key scopes

When generating a key, choose a scope that matches the access level your integration requires:
ScopePermissions
read-onlyGET requests only — list and retrieve resources
read-writeFull access — create, update, delete, and retrieve all resources
Use read-only keys for dashboards, monitoring tools, and any integration that only needs to observe data. Reserve read-write keys for automation scripts and services that must create or modify resources.

Authentication errors

If your key is missing, malformed, or revoked, the API responds with 401 Unauthorized: 
{
  "code": "unauthorized",
  "message": "No valid API key provided. Include your key in the Authorization header as 'Bearer YOUR_API_KEY'."
}
If your key is valid but lacks the required scope for the operation, the API responds with 403 Forbidden: 
{
  "code": "forbidden",
  "message": "Your API key does not have permission to perform this action. A read-write key is required."
}
Common causes of 401 Unauthorized:
  • The Authorization header is missing entirely
  • The header value does not use the Bearer prefix (note the trailing space)
  • The API key has been revoked from the dashboard
  • The key was generated for a different RCB Automation account

Best practices

Never expose API keys in client-side code, public repositories, or browser-accessible files. Keys embedded in front-end JavaScript can be extracted by anyone who views your page source.
Follow these practices to keep your keys secure:
  • Use environment variables. Store keys in environment variables or a secrets manager (such as AWS Secrets Manager or HashiCorp Vault) rather than hardcoding them in source files.
  • Rotate keys regularly. Generate a new key and revoke the old one on a schedule (for example, every 90 days) or immediately after any suspected exposure.
  • Use one key per service. Assign a dedicated key to each application or environment (production, staging, CI). This makes it easy to revoke access for a single service without affecting others.
  • Use the minimum required scope. Grant read-only access unless the integration explicitly needs to create or modify data.
  • Audit active keys. Review your API Keys list in Account Settings periodically and revoke any keys that are no longer in use.