Authentication

API keys

• Prefix: kwit_live_
• Sent as Authorization: Bearer <full_key>
• Scoped to one organization; all created resources belong to that org
• Keys can expire; expired keys return 401

Resolution flow

1. Extract bearer token from Authorization header
2. Hash and lookup in ApiKey table
3. Reject if missing, unknown, or expired
4. Attach organizationId to the request context for all downstream services

Audit

Failed auth attempts are audit-logged (api_key.invalid). Successful requests log resource types per route (e.g. api_key.request.customers.create).

SDK

import Kwit from "@kwit/sdk";

const kwit = new Kwit({
  apiKey: process.env.KWIT_API_KEY!,
  maxRetries: 3,
  timeout: 15_000,
});

Never expose live keys in browser code - call Kwit only from your backend.