Overview
Lamina’s public Apps API uses workspace-scoped API keys. Send the key with either:x-api-key unless you have a reason to standardize on bearer auth across your stack.
What The Key Grants Access To
An API key is bound to a Lamina workspace. That means the key determines:- which private apps can be discovered
- which executions can be started
- which execution records can be read
- which workspace context is used for authorization
Workspace Scope
Keys are workspace-scoped, not user-scoped. In practice this means:- your own workspace apps are available through the key
- public apps from other workspaces may also be visible
- requests are still checked against the key’s workspace context
x-workspace-id, it must match the workspace associated with the API key.
Example
Security Recommendations
- Keep Lamina API keys on your server, not in browser code.
- Rotate keys if they are exposed in logs, screenshots, or commits.
- Create separate keys for staging and production.
- Prefer one key per integration so usage is easier to audit.
Common Authentication Errors
401 Missing API key
No supported auth header was sent.
401 Invalid API key
The key is malformed, revoked, or unknown.
403 Workspace header does not match API key workspace scope
The request included an x-workspace-id value that does not match the key’s workspace.
Next Steps
- Read Quick Start to make your first request
- Read Apps and Executions to understand the lifecycle
- Read Server-Side Integration for production patterns