Authentication
Every Wordcab request uses a Bearer API key. Create them in the dashboard or by API, scope them narrowly, rotate them safely.
Every request needs a Bearer token. Keys are created in the dashboard or via the API keys endpoint. The SDKs pick the token up from WORDCAB_API_KEY automatically; you can also pass it explicitly.
Creating a key
- Sign in at wordcab.com.
- Open Settings → API Keys.
- Click Create API key, give it a name and optional scopes, and copy the token.
The full secret is only shown at creation time. Store it in your secret manager immediately, you can always revoke and rotate.
Using a key
from wordcab import Wordcab
# Picks up WORDCAB_API_KEY from the environment
client = Wordcab()
# Or pass it explicitly
client = Wordcab(api_key="wc_live_xxxxxxxxxxxxxxxx")import { Wordcab } from "@wordcab/sdk";
const client = new Wordcab(); // env var
const client2 = new Wordcab({ apiKey: "wc_..." }); // explicitcurl https://api.wordcab.com/api/v1/agents \\
-H "Authorization: Bearer wc_live_xxxxxxxxxxxxxxxx"
Key prefixes
Every key has a visible prefix so you can tell environments apart in logs and incident reports.
| Prefix | Environment | Notes |
|---|---|---|
wc_live_ | Production | Cloud API production. Billable traffic. |
wc_test_ | Test | Sandbox. Not billable. Some fine-tuning endpoints are stubbed. |
wc_sh_ | Self-hosted | Issued by a self-hosted control plane. The secret never leaves your cluster. |
Scopes
Scopes bound a key's capabilities. Unscoped keys (*) are convenient during development but should be replaced with narrow keys in production.
| Scope | Description |
|---|---|
* | Full access to everything the owning user can reach. |
transcripts:read | List and retrieve transcripts. |
transcripts:write | Create transcription jobs. |
speech:write | Generate speech. |
agents:read / agents:write | View / create voice agents and configuration. |
calls:read / calls:write | View calls / place outbound calls and end active calls. |
gym:read / gym:write | Read or run test suites and experiments. |
deploy:read / deploy:write | Read or manage self-hosted deployment objects. |
webhooks:write | Register and manage webhook endpoints. |
Creating a scoped key via API
curl -X POST https://api.wordcab.com/api/v1/api-keys \\
-H "Authorization: Bearer $WORDCAB_API_KEY" \\
-H "Content-Type: application/json" \\
-d '{
"name": "transcription-worker",
"scopes": ["transcripts:read", "transcripts:write"],
"expires_at": "2026-12-31T23:59:59Z"
}' Rotating keys
Create a replacement key before revoking the old one, verify traffic is flowing on the new key in your logs, then revoke.
# 1. Create the replacement
wordcab keys create --name "transcription-worker-2026q2" --scope transcripts:write
# 2. Roll your app's secret, verify traffic under the new key id
# 3. Revoke the old one
wordcab keys revoke key_01H...Self-hosted deployments
On self-hosted installations, keys are issued by your control plane, not api.wordcab.com. The secret material never leaves the cluster and can be rotated without a support ticket.
- Issue keys via the CLI:
wordcab --env on-prem keys create - Integrate with your IdP: SAML and OIDC for users, SCIM for groups, and scoped service tokens for workloads.
- Stream the audit log (key created / used / revoked) to your SIEM over syslog or webhook.
For workload-to-workload traffic inside a cluster, prefer short-lived tokens minted from your service mesh or IdP over long-lived API keys. The control plane accepts any OIDC-signed JWT you configure.