All Coolset API endpoints require authentication using Bearer tokens.
- Log in to your Coolset account
- Navigate to Settings → API Tokens
- Click Generate New Token
- Copy and securely store your token
⚠️ Important: Treat your API tokens like passwords. Never share them or commit them to version control.
Include your token in the Authorization header of every request:
Authorization: Bearer YOUR_API_TOKENcurl -X GET https://developers.coolset.com/api/accounts/user-config/ \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json"const response = await fetch('https://developers-scranton.coolset.com/api/orders/', {
headers: {
'Authorization': 'Bearer YOUR_API_TOKEN',
'Content-Type': 'application/json'
}
});
const data = await response.json();import requests
headers = {
'Authorization': 'Bearer YOUR_API_TOKEN',
'Content-Type': 'application/json'
}
response = requests.get(
'https://developers-scranton.coolset.com/api/orders/',
headers=headers
)
data = response.json()- Store tokens in environment variables
- Use separate tokens for development and production
- Rotate tokens regularly
- Revoke unused or compromised tokens immediately
- Use HTTPS for all API requests
- Never commit tokens to version control
- Don't share tokens via email or chat
- Avoid hardcoding tokens in your application
- Don't expose tokens in client-side code
- Never log tokens in application logs
Tokens inherit the permissions of the user who created them. Ensure your API token has the appropriate access:
| Scope | Permissions |
|---|---|
| Read | View data across all endpoints |
| Write | Create and update resources |
| Admin | Full access including user management |
If you have access to multiple companies/workspaces:
- Each token is associated with a specific company
- Switch companies in the UI before generating tokens
- Or use the
/accounts/workspaces/endpoint to manage context
- API tokens do not expire automatically
- Tokens remain valid until manually revoked
- We recommend rotating tokens every 90 days
To revoke a token:
- Go to Settings → API Tokens
- Click Revoke next to the token
- The token becomes immediately invalid
💡 Tip: Generate separate tokens for each integration or service. This makes it easier to revoke access without affecting other services.
Cause: Missing or invalid token
{
"detail": "Authentication credentials were not provided."
}Solution: Verify your token is correct and properly formatted in the Authorization header.
Cause: Valid token but insufficient permissions
{
"detail": "You do not have permission to perform this action."
}Solution: Check your user role and token permissions.