Authentication

Every /v1 endpoint is authenticated with your API key. Supply it on every request using the Authorization header with the Bearer scheme:

curl -sS "https://api.lemtika.com/v1/catalog" \
  -H "Authorization: Bearer $LEMTIKA_API_KEY"

The key resolves to your account's tenancy: the request is billed and brand-themed against that account's workspace. A key requires an active (or trialing) subscription to call the API (canUseApiKey). Create and rotate keys in API keys.

The API also accepts the key via an x-api-key: <your-api-key> header as an alternative to Authorization: Bearer. Prefer the Bearer header.

Common 401 causes

A 401 unauthorized means the key was missing, malformed, or revoked. Check:

  • No header sent — the request omitted both Authorization and x-api-key.
  • Malformed header — the Bearer prefix is missing, or there's a stray space or newline in the token (common when reading a key from a file).
  • Revoked key — the key was deleted in Settings → API keys. Revocation is immediate.
  • Wrong environment — a staging key sent to production (or vice-versa).

A 401 is distinct from 403 forbidden (the key is valid but lacks a capability, e.g. a lapsed subscription) and 402 insufficient-credits (valid key, empty balance). See Errors for the full table.

Versioning & stability

The public surface is the frozen /v1 contract: once you integrate, the request/response shapes will not change in a breaking way. New error codes and optional fields may be added additively, so always treat an unrecognized error.code by its HTTP status class rather than matching it exactly.